Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/virtumonde.dll I Cannot Remove It


  • This topic is locked This topic is locked
16 replies to this topic

#1 Igloochick

Igloochick

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 20 April 2008 - 04:28 PM

Hi,

I downlaoded a file yesterday and knew immediately it was hinky so I ran adware, McAfee and spybot.
Spybot gave me the virtumonde and virtuemonde.dll results. ON the first attempt to remove it hung my system. On the second attempt it said it fixed the problem. I ran spybot again the same two appeared again. Again I removed and then rebooted. I got two rundll errors and I'm sorry I didn't write them down.

I went into Internet Explorer to try and run Kaspersky but that was a no go as I was inundated with pop ups that froze the application.

I then DL both DSS and HiJackThis.

I'm really not sure what else I need/should tell you.

Here are the logs. I so appreciate any help you can give.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-20 18:10:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:57 PM, on 4/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\PROGRA~1\Netscape\NETSCA~1\netscape.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qca10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8CFA562A-C7E8-46ED-9FDD-804845A59F4B} - C:\WINDOWS\System32\byXQIYPI.dll (file missing)
O2 - BHO: (no name) - {BFEB6026-37AD-425A-84BB-7A425D40415A} - C:\WINDOWS\System32\mlJBSkiJ.dll (file missing)
O2 - BHO: (no name) - {C14E6230-757D-4246-81CE-B34E2940C722} - C:\WINDOWS\System32\ljJdATLd.dll
O2 - BHO: (no name) - {EFF7DFCE-4CF2-45DD-985F-962D6266701D} - C:\WINDOWS\System32\urqQiJAp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [20c30321] rundll32.exe "C:\WINDOWS\System32\dprfxmds.dll",b
O4 - HKLM\..\Run: [BM23f030bd] Rundll32.exe "C:\WINDOWS\System32\ksikbupj.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - Winlogon Notify: ljJdATLd - C:\WINDOWS\SYSTEM32\ljJdATLd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 8685 bytes

-- Files created between 2008-03-20 and 2008-04-20 -----------------------------

2008-04-20 18:09:35 0 d-------- C:\Program Files\Trend Micro
2008-04-20 17:49:42 88128 --a------ C:\WINDOWS\System32\dprfxmds.dll
2008-04-20 17:47:21 94272 --a------ C:\WINDOWS\System32\qqqvxlle.dll
2008-04-20 17:47:14 96320 --a------ C:\WINDOWS\System32\ksikbupj.dll
2008-04-20 17:46:34 197522 --ahs---- C:\WINDOWS\System32\pAJiQqru.ini2
2008-04-20 17:46:31 274432 --a------ C:\WINDOWS\System32\urqQiJAp.dll
2008-04-20 11:39:06 198356 --ahs---- C:\WINDOWS\System32\IPYIQXyb.ini2
2008-04-19 18:44:28 6494 --ahs---- C:\WINDOWS\System32\JikSBJlm.ini2
2008-04-19 18:41:46 36352 --a------ C:\WINDOWS\System32\vtusqpo.dll
2008-04-19 18:37:43 40448 --a------ C:\WINDOWS\System32\fccaAsSJ.dll
2008-04-19 18:35:49 40448 --a------ C:\WINDOWS\System32\ljJdATLd.dll
2008-04-12 10:04:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-22 13:00:04 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-22 12:03:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


-- Find3M Report ---------------------------------------------------------------

2008-04-20 17:59:14 1894 --a------ C:\WINDOWS\mozver.dat
2008-04-19 18:46:43 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 12:44:39 0 d-------- C:\Program Files\Trillian
2008-04-18 18:09:46 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-18 17:38:01 0 d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-04-15 18:07:06 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-03-30 13:10:47 0 d-------- C:\Program Files\McAfee
2008-03-09 11:01:04 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2008-03-04 11:09:24 0 d-------- C:\Program Files\Maxis
2008-02-20 08:46:38 0 d-------- C:\Program Files\Lavasoft
2008-02-20 08:46:02 0 d-------- C:\Program Files\Common Files
2008-02-20 08:46:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-20 08:43:16 0 d-------- C:\Program Files\LEGOBuilderBots_at
2008-02-20 08:42:50 0 d-------- C:\Program Files\DeerDrive_at
2008-02-20 08:42:20 0 d-------- C:\Program Files\BurgerShop_at
2008-01-28 12:51:27 4096 --a------ C:\WINDOWS\d3dx.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CFA562A-C7E8-46ED-9FDD-804845A59F4B}]
C:\WINDOWS\System32\byXQIYPI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFEB6026-37AD-425A-84BB-7A425D40415A}]
C:\WINDOWS\System32\mlJBSkiJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C14E6230-757D-4246-81CE-B34E2940C722}]
04/19/2008 06:35 PM 40448 --a------ C:\WINDOWS\System32\ljJdATLd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFF7DFCE-4CF2-45DD-985F-962D6266701D}]
04/20/2008 05:46 PM 274432 --a------ C:\WINDOWS\System32\urqQiJAp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [01/26/2004 07:24 AM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 09:04 PM]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [08/21/2003 08:23 AM]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [08/21/2003 08:15 AM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/12/2003 12:02 AM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 01:01 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [11/03/2003 09:50 PM]
"VTTimer"="VTTimer.exe" []
"LTMSG"="LTMSG.exe" [07/14/2003 10:52 PM C:\WINDOWS\ltmsg.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [09/13/2003 12:13 AM]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [03/10/2004 05:26 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/10/2007 10:56 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 11:33 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/24/2007 06:57 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 02:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" [07/30/2004 12:04 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"20c30321"="C:\WINDOWS\System32\dprfxmds.dll" [04/20/2008 05:49 PM]
"BM23f030bd"="C:\WINDOWS\System32\ksikbupj.dll" [04/20/2008 05:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [11/15/2004 05:18 PM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [01/03/2008 10:54 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [1/27/2004 7:26:18 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [1/26/2004 10:20:47 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C14E6230-757D-4246-81CE-B34E2940C722}"= C:\WINDOWS\System32\ljJdATLd.dll [04/19/2008 06:35 PM 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJdATLd]
ljJdATLd.dll 04/19/2008 06:35 PM 40448 C:\WINDOWS\system32\ljJdATLd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\urqQiJAp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""




-- End of Deckard's System Scanner: finished at 2008-04-20 18:11:22 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 3000+
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1023.48 MiB / 581.53 MiB
Pagefile Memory (total/avail): 2461.89 MiB / 2066.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1929.06 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 145.16 GiB total, 115.27 GiB free.
D: is Fixed (FAT32) - 3.87 GiB total, 0.61 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - SAMSUNG SP1604N - 149.05 GiB - 2 partitions
\PARTITION0 - Unknown - 3.88 GiB - D:
\PARTITION1 (bootable) - Installable File System - 145.16 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LILBRAT
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\LILBRAT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=LILBRAT
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{363435F2-7426-11D8-9966-00A0C9663221}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC067AB0-2594-4A7E-A1DE-ADEB7D15EB4B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Album Starter Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{483616D1-867E-46F8-BEC7-3C6475933908}\apxp.ex_" -l0x9
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
AdVantage (Powering DAEMON Tools) --> "C:\Program Files\AdVantage\AdVUninst.exe" /r DAEM /d "AdVantage (Powering DAEMON Tools)" /m "AdVantage is safe advertising software that supports Freeze.com.\nAdVantage is certified by TRUSTe as a Trusted Download.\n\nAre you sure you want to uninstall AdVantage support for DAEMON Tools?"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
ATI Parental Control & Encoder --> MsiExec.exe /I{9862B19F-4CAD-4EED-920F-2F378D84393F}
ATI Problem Report Wizard --> MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
Blackhawk Striker from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\F07504C6-20C5-4BFE-83A0-523FB2455E72\Uninstall.exe"
Blasterball 2 from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\75528D5F-DD82-402E-BA7C-045B7DC6A712\Uninstall.exe"
Bounce Symphony from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\Uninstall.exe"
Canon i850 --> C:\WINDOWS\System32\CNMCP4B.exe "-PRINTERNAMECanon i850" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon i850 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Compaq Connections --> C:\WINDOWS\BWUnin-6.2.3.66L.exe -AppId 1940576
Compaq Instant Support --> C:\PROGRA~1\COMPAQ~2\UNWISE.EXE C:\PROGRA~1\COMPAQ~2\INSTALL.LOG
Creative WebCam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{363435F2-7426-11D8-9966-00A0C9663221}\setup.exe" -l0x9 /remove
Creative WebCam Live! Pro Driver (1.01.01.1011) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script VF0080.uns -unsext NT -plugin V0080Pin.dll -pluginres V0080Pin.crl
Creative WebCam Live! Pro User's Guide (English) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Creative WebCam Live! Pro\Creative WebCam Live! Pro User's Guide\English\CTManual.isu"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Excavation from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\C679AA5F-C2C8-4EA8-9CD1-504A39AEC264\Uninstall.exe"
Five Card Frenzy from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\2FDCC229-354D-4279-ABEF-CE17E355BFFA\Uninstall.exe"
Get Yahoo! Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC067AB0-2594-4A7E-A1DE-ADEB7D15EB4B}\setup.exe" -l0x9 /remove
HP Deskjet Preloaded Printer Drivers --> MsiExec.exe /X{F419D20A-7719-4639-8E30-C073A040D878}
HP Photo & Imaging 3.5 - HP Devices --> C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP PSC & OfficeJet 3.0 --> "C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
LEGO Island 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\LEGO Media\LEGO Island 2\Setup.exe"
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition --> MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (2.0.0.8) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Need For Speed Hot Pursuit 2 --> C:\Program Files\EA Games\Need For Speed Hot Pursuit 2\EAUninstall.exe
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
NVIDIA GART Driver --> C:\WINDOWS\System32\nvugart.exe Uninstall C:\WINDOWS\System32\Nvgart.nvu,NVIDIA GART Driver
Orbital from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\26DC0ED6-93A7-43C1-8DC5-EC16079580F9\Uninstall.exe"
Otto from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8A225900-C06D-41DD-B66C-43840D472758\Uninstall.exe"
Overball from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe"
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Pinnacle Hollywood FX for Studio --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX for Studio\5.5\uninstal.log
Polar Bowler from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe"
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Slyder from Compaq (remove only) --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\8BA6F58B-7A91-461F-95F8-E34F8BD8AA4E\Uninstall.exe"
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpamSubtract --> C:\PROGRA~1\INTERM~1\SPAMSU~1\UNWISE.EXE /U C:\PROGRA~1\INTERM~1\SPAMSU~1\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Streets of SimCity --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Maxis\Streets of SimCity\DeIsL1.isu"
Stronghold 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{16D2C649-CBA8-44EE-B730-12584667D487}\setup.exe" -l0x9 -removeonly
Studio 9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E491AB7-4589-48CA-9CBB-874CB2788391}\setup.exe" -l0x9 UNINSTALL
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Installer 3.0 (KB884016) --> C:\WINDOWS\$MSI30UninstallMSI30-KB884016$\spuninst\spuninst.exe
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1860 / Error
Event Submitted/Written: 04/20/2008 05:49:49 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1851 / Success
Event Submitted/Written: 04/20/2008 02:48:28 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1850 / Error
Event Submitted/Written: 04/20/2008 11:40:29 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1845 / Error
Event Submitted/Written: 04/19/2008 06:49:23 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1829 / Success
Event Submitted/Written: 04/18/2008 05:35:36 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10580 / Warning
Event Submitted/Written: 04/19/2008 08:39:54 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\BRUTE on the network \Device\NetBT_Tcpip_{39D3EC43-968A-4F9F-8359-4000FCCB77E6}.
The data is the error code.

Event Record #/Type10517 / Warning
Event Submitted/Written: 04/18/2008 08:38:20 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\BRUTE on the network \Device\NetBT_Tcpip_{39D3EC43-968A-4F9F-8359-4000FCCB77E6}.
The data is the error code.

Event Record #/Type10382 / Warning
Event Submitted/Written: 04/15/2008 08:28:57 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\BRUTE on the network \Device\NetBT_Tcpip_{39D3EC43-968A-4F9F-8359-4000FCCB77E6}.
The data is the error code.

Event Record #/Type10097 / Error
Event Submitted/Written: 04/12/2008 10:11:03 AM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type10093 / Warning
Event Submitted/Written: 04/12/2008 09:42:38 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-04-20 17:55:33 ------------

BC AdBot (Login to Remove)

 


m

#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:59 PM

Posted 22 April 2008 - 09:15 AM

Hi Igloochick and welcome to Bleeping Computer.

I will be handling your log and helping you to get cleaned up.

Please take note of the following:

1. Please do not make any system changes yet. as any changes you make may well alter your log.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Starbuck

BBPP6nz.png


#3 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:59 PM

Posted 22 April 2008 - 12:41 PM

Hi Igloochick,

It's not surprising that your system is infected.....
You are lacking a lot of 'Security Updates', we will need to address this once we have cleaned up your system. ( we cannot do this while the system is infected).

Step 1
Please disable Spybot S&D’s TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.

Reboot the computer.

Step 2
Run Hijackthis again, click scan, and Put a checkmark next to each of these items.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8CFA562A-C7E8-46ED-9FDD-804845A59F4B} - C:\WINDOWS\System32\byXQIYPI.dll (file missing)
O2 - BHO: (no name) - {BFEB6026-37AD-425A-84BB-7A425D40415A} - C:\WINDOWS\System32\mlJBSkiJ.dll (file missing)
O2 - BHO: (no name) - {C14E6230-757D-4246-81CE-B34E2940C722} - C:\WINDOWS\System32\ljJdATLd.dll
O2 - BHO: (no name) - {EFF7DFCE-4CF2-45DD-985F-962D6266701D} - C:\WINDOWS\System32\urqQiJAp.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [20c30321] rundll32.exe "C:\WINDOWS\System32\dprfxmds.dll",b
O4 - HKLM\..\Run: [BM23f030bd] Rundll32.exe "C:\WINDOWS\System32\ksikbupj.dll",s
O20 - Winlogon Notify: ljJdATLd - C:\WINDOWS\SYSTEM32\ljJdATLd.dll

Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Step 3
Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:
How to use ComboFix
Please follow all the instructions to the letter...(this is very important)

Please ensure that you install the Recovery Console.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

In your next reply, please submit:
ComboFix.txt
and a new Hjt log.

Thanks.

BBPP6nz.png


#4 Igloochick

Igloochick
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 22 April 2008 - 02:41 PM

Hi Starbuck and thank you so much for taking the time to help.



Just one thing before I post the logs. On following your step #2 The following did not seem to be present. Actually nothing in the 02 range appeared and I tried running it twice. I see however that some are there after I ran combofix, but I am leaving them until you direct me otherwise as I'm not sure about doing things out of order.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8CFA562A-C7E8-46ED-9FDD-804845A59F4B} - C:\WINDOWS\System32\byXQIYPI.dll (file missing)
O2 - BHO: (no name) - {BFEB6026-37AD-425A-84BB-7A425D40415A} - C:\WINDOWS\System32\mlJBSkiJ.dll (file missing)
O2 - BHO: (no name) - {C14E6230-757D-4246-81CE-B34E2940C722} - C:\WINDOWS\System32\ljJdATLd.dll
O2 - BHO: (no name) - {EFF7DFCE-4CF2-45DD-985F-962D6266701D} - C:\WINDOWS\System32\urqQiJAp.dll


Also, the recovery console, again I followed that step by step but when I went and dragged the dl icon onto the combofix icon as per the directions it didn't seem to follow the procedure for installing the recovery console and as the screens coming up were the ones saying Combo fix is preparing to run. I stopped it, disabled all programs(antivirus etc) and then went ahead and ran it. The rest seemed to go precisely as laid out in the combofix tut.

combofix.txt

ComboFix 08-04-20.5 - Owner 2008-04-22 16:13:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.681 [GMT -3:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bbjpffdb.dll
C:\WINDOWS\system32\bHiOWvut.ini
C:\WINDOWS\system32\bHiOWvut.ini2
C:\WINDOWS\system32\fccaAsSJ.dll
C:\WINDOWS\system32\HQrssBeg.ini
C:\WINDOWS\system32\HQrssBeg.ini2
C:\WINDOWS\system32\IPYIQXyb.ini
C:\WINDOWS\system32\IPYIQXyb.ini2
C:\WINDOWS\system32\JikSBJlm.ini
C:\WINDOWS\system32\JikSBJlm.ini2
C:\WINDOWS\system32\ljJdATLd.dll
C:\WINDOWS\system32\opnLbBqp.dll
C:\WINDOWS\system32\pAJiQqru.ini
C:\WINDOWS\system32\pAJiQqru.ini2
C:\WINDOWS\system32\pqBbLnpo.ini
C:\WINDOWS\system32\pqBbLnpo.ini2
C:\WINDOWS\system32\rwreyqns.ini
C:\WINDOWS\system32\snqyerwr.dll
C:\WINDOWS\system32\vtusqpo.dll
C:\WINDOWS\system32\yixfynfs.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-21 20:44 . 2008-04-21 20:51 1,540,617 --ahs---- C:\WINDOWS\system32\sgnejimn.ini
2008-04-21 18:38 . 2008-04-21 20:27 1,540,617 --ahs---- C:\WINDOWS\system32\umnyglcc.ini
2008-04-20 18:09 . 2008-04-20 18:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 17:52 . 2008-04-20 17:52 <DIR> d-------- C:\Deckard
2008-04-20 17:49 . 2008-04-21 07:41 1,540,686 --ahs---- C:\WINDOWS\system32\sdmxfrpd.ini
2008-04-20 11:45 . 2008-04-20 17:37 1,540,677 --ahs---- C:\WINDOWS\system32\wsyqwyjj.ini
2008-04-20 11:39 . 2008-04-21 18:32 109,738 --a------ C:\WINDOWS\BM23f030bd.xml
2008-04-19 19:02 . 2008-04-21 21:20 1,076 --a------ C:\WINDOWS\wininit.ini
2008-04-12 10:04 . 2008-04-12 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-22 13:52 . 2008-03-22 13:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-22 13:00 . 2008-03-22 13:56 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-22 12:03 . 2008-03-22 12:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-22 12:03 . 2008-03-23 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 19:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-04-22 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-19 21:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 15:44 --------- d-----w C:\Program Files\Trillian
2008-04-18 21:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-18 20:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-03-30 16:10 --------- d-----w C:\Program Files\McAfee
2008-03-04 14:09 --------- d-----w C:\Program Files\Maxis
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C416178-0A0E-4D74-880A-01C8774C15F5}]
C:\WINDOWS\System32\tuvWOiHb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{353E1E93-C8FA-41BF-BA68-56396C2BC773}]
C:\WINDOWS\System32\geBssrQH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CFA562A-C7E8-46ED-9FDD-804845A59F4B}]
C:\WINDOWS\System32\byXQIYPI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFEB6026-37AD-425A-84BB-7A425D40415A}]
C:\WINDOWS\System32\mlJBSkiJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7A602D9-5DC4-4E53-A0AD-779A122DB2CE}]
C:\WINDOWS\System32\urqQiJAp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18 1670144]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 10:54 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-26 07:24 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 21:04 52736]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 08:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 08:15 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 00:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 13:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 21:50 221184]
"VTTimer"="VTTimer.exe" []
"LTMSG"="LTMSG.exe" [2003-07-14 22:52 40960 C:\WINDOWS\ltmsg.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-13 00:13 98304]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2004-03-10 17:26 406016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-10 10:56 98304]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 18:57 36640]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 12:04 245760]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2004-01-27 07:26:18 557056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJdATLd]
ljJdATLd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\System32\DRIVERS\V0080Dev.sys [2004-10-09 06:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 05:42:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 05:00:29 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 16:17:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-04-22 16:21:41 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-04-22 19:21:38

Pre-Run: 123,633,778,688 bytes free
Post-Run: 123,654,922,240 bytes free

139 --- E O F --- 2008-04-12 12:39:12

hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:28 PM, on 4/22/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {0C416178-0A0E-4D74-880A-01C8774C15F5} - C:\WINDOWS\System32\tuvWOiHb.dll (file missing)
O2 - BHO: (no name) - {353E1E93-C8FA-41BF-BA68-56396C2BC773} - C:\WINDOWS\System32\geBssrQH.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8CFA562A-C7E8-46ED-9FDD-804845A59F4B} - C:\WINDOWS\System32\byXQIYPI.dll (file missing)
O2 - BHO: (no name) - {BFEB6026-37AD-425A-84BB-7A425D40415A} - C:\WINDOWS\System32\mlJBSkiJ.dll (file missing)
O2 - BHO: (no name) - {C7A602D9-5DC4-4E53-A0AD-779A122DB2CE} - C:\WINDOWS\System32\urqQiJAp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - Winlogon Notify: ljJdATLd - ljJdATLd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 7803 bytes

#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:59 PM

Posted 23 April 2008 - 02:06 PM

Hi Igloochick,

Before we start with the next part of the fix, let me explain the problems you encountered:

Actually nothing in the 02 range appeared and I tried running it twice. I see however that some are there after I ran combofix

Certain Vundo infections can hide themselves from HijackThis.
Because you gave us a DSS report (DSS renames Hjt so that the infections will show) the infections actually showed up.
When you tried to remove them with Hjt.... they were hidden again. That's why you didn't see them.
After you had run ComboFix...... the program removed the 'rootkit' that hides them.... so that's why they showed up then.
Don't worry, i'll remove them for you later on in the next part of the fix.

Also, the recovery console, again I followed that step by step but when I went and dragged the dl icon onto the combofix icon as per the directions it didn't seem to follow the procedure for installing the recovery console

Some systems already have the 'recovery console' installed...... it seems that your system already had it..... so it didn't need to be installed.
We have no way of telling if a system already has it.... that's why we ask you to install it.

You did the right thing in explaining the problems you had.
If you have anymore problems.... just let me know and i'll explain them for you.

Step 1
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
C:\WINDOWS\system32\sgnejimn.ini
C:\WINDOWS\system32\umnyglcc.ini
C:\WINDOWS\system32\sdmxfrpd.ini
C:\WINDOWS\system32\wsyqwyjj.ini
C:\WINDOWS\BM23f030bd.xml

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C416178-0A0E-4D74-880A-01C8774C15F5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{353E1E93-C8FA-41BF-BA68-56396C2BC773}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CFA562A-C7E8-46ED-9FDD-804845A59F4B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFEB6026-37AD-425A-84BB-7A425D40415A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7A602D9-5DC4-4E53-A0AD-779A122DB2CE}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJdATLd]
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 2
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will now start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please submit:
New ComboFix.txt
Kaspersky Scan Report
A New Hjt log.

And could you please answer the following questions:
Is your system running any better now?
Is there any reason that you have not updated to SP2? (service pack 2 for windows xp)

Thanks.

BBPP6nz.png


#6 Igloochick

Igloochick
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 23 April 2008 - 05:34 PM

Hi Starbuck, thanks so much for the assistance and the explanations. I greatly appreciate it.

As to your questions. Yes, my system appears to be working very well. I can actually use my browers etc and they come up much more quickly.

As to SP2. (hides) There is a reason. A few months ago I had computer issues and I tried installing SP2. My system became inoperable and I had to take it to a computer shop and had to go back to the original factory install. It turns out the issue was a bad memory stick. Once I got the system back up and running again I didn't want to tempt fate and another trip to the computer shop. I suppose I should just close my eyes and try the upgrade again shouldn't I?


Question. The Kaspersky scan found issues. But I saw no directive to clean those by the program. Is that correct?

As to the logs here they are.



ComboFix 08-04-20.5 - Owner 2008-04-23 16:54:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.688 [GMT -3:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM23f030bd.xml
C:\WINDOWS\system32\sdmxfrpd.ini
C:\WINDOWS\system32\sgnejimn.ini
C:\WINDOWS\system32\umnyglcc.ini
C:\WINDOWS\system32\wsyqwyjj.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM23f030bd.xml
C:\WINDOWS\system32\sdmxfrpd.ini
C:\WINDOWS\system32\sgnejimn.ini
C:\WINDOWS\system32\umnyglcc.ini
C:\WINDOWS\system32\wsyqwyjj.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-20 18:09 . 2008-04-20 18:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 17:52 . 2008-04-20 17:52 <DIR> d-------- C:\Deckard
2008-04-19 19:02 . 2008-04-21 21:20 1,076 --a------ C:\WINDOWS\wininit.ini
2008-04-12 10:04 . 2008-04-12 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-22 19:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-04-19 21:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 15:44 --------- d-----w C:\Program Files\Trillian
2008-04-18 21:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-18 20:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-03-30 16:10 --------- d-----w C:\Program Files\McAfee
2008-03-23 14:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 16:00 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-22 15:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-04 14:09 --------- d-----w C:\Program Files\Maxis
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_16.21.27.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 19:17:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 11:56:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-22 19:17:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-23 16:29:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-22 19:17:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-23 16:29:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-22 19:17:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-23 16:29:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-06 16:38:01 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-22 19:19:29 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-06 16:38:01 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-22 19:19:29 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18 1670144]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 10:54 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-26 07:24 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 21:04 52736]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 08:23 49152]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-08-21 08:15 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 00:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 13:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 21:50 221184]
"VTTimer"="VTTimer.exe" []
"LTMSG"="LTMSG.exe" [2003-07-14 22:52 40960 C:\WINDOWS\ltmsg.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-13 00:13 98304]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2004-03-10 17:26 406016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-10 10:56 98304]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 18:57 36640]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 12:04 245760]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2004-01-27 07:26:18 557056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\System32\DRIVERS\V0080Dev.sys [2004-10-09 06:51]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 05:42:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 05:00:29 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 16:55:41
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-04-23 16:57:13
ComboFix-quarantined-files.txt 2008-04-23 19:56:57
ComboFix2.txt 2008-04-22 19:21:43

Pre-Run: 123,649,294,336 bytes free
Post-Run: 123,632,812,032 bytes free

112 --- E O F --- 2008-04-12 12:39:12


Kaspersky Scan Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 7:14:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 723489
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 88777
Number of viruses found: 12
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 01:09:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{C0A2FCAB-787C-45E8-B353-A2E1E11C5B8B}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\bin\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF6A8B.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\AdVantage\AdVantage.exe Infected: not-a-virus:AdTool.Win32.WhenU.t skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\L0000003.FCS Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Compaq Connections\1940576\Users\Default\Data\storydb.idx Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bbjpffdb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fccaAsSJ.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.oax skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJdATLd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.oax skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\snqyerwr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtusqpo.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-22_161530.20.zip/opnLbBqp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\QooBox\Quarantine\catchme2008-04-22_161530.20.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP204\A0035308.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP204\A0035309.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP204\A0035310.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qok skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP204\A0035311.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfq skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP206\A0036434.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP206\A0036435.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.oax skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP206\A0036436.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.oax skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP206\A0036437.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP206\A0036438.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP207\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\mcafee_evV4WlaCMIrHowq Object is locked skipped
C:\WINDOWS\Temp\mcmsc_7EbYhtHlrhsRmOq Object is locked skipped
C:\WINDOWS\Temp\mcmsc_UXSY16boj7QgRFU Object is locked skipped
C:\WINDOWS\Temp\mcmsc_wRrfYveo26Kh6Gt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{88A9728D-068D-4BE5-99BD-49CC3FD4BC94}\RP207\change.log Object is locked skipped

Scan process completed.


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:13 PM, on 4/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 7123 bytes

#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:59 PM

Posted 24 April 2008 - 12:03 PM

Hi Igloochick,

Glad to hear things are runnning better.

I suppose I should just close my eyes and try the upgrade again shouldn't I?

We'll get your system 'clean' then we'll sort that out for you.
SP2 will fix a lot of security issues within your operating system.

The Kaspersky scan found issues. But I saw no directive to clean those by the program. Is that correct?

Yes, that's correct. Not all online scans have the ability to remove infections.
We use Kaspersky because it gives us a very good readout.... then we work with what it has given us.
Most of what it found is nothing to worry about.... most of the bad entries are either in 'quarantine' or in your 'Restore Points'.
This is easy to address a bit later.

Things are looking a lot better now.
Let's do a bit more 'cleaning' and then i'd like you to run a different type of scan.

Step 1
There's a program on your system that i recommend that you remove:
AdVantage
Added by the Adware.MediaAdVantage adware. Adware.MediaAdVantage is an adware program that monitors the contents of Internet browser windows.

Click on start... settings... control panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following (by clicking on the entry and then selecting Remove)

AdVantage

Step 2
Optional
These lines are not bad, but they are not necessary to run at startup.
If you need them you can start them manually.
Ticking the following lines may save you valuable resources.

Run Hijackthis again, click scan, and Put a checkmark next to each of these items.
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE


This entry:
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
If you don't use Windows Messenger, this can be annoying. Available via Start -> Programs. Go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts"

The following entries are 'Open to Debate'.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related
.htm
It's up to you if you want to get rid of them.
Registry keys that create a menu item that points to a local web page that points to an MSN search page that uses the Alexa engine.

Please read this:
http://www.imilly.com/alexa.htm
and decide for yourself.

Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Reboot your computer to complete the process.

Step 3
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step 4
Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

In your next reply, please submit:
Gmer results
and a new Hjt log.

Thanks.

BBPP6nz.png


#8 Igloochick

Igloochick
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 24 April 2008 - 03:35 PM

Hi Starbuck,

Step 1: I could not remove AdVantage It told me the files I was looking for could not be found. It does however appear on my add/remove program list. I did remove the program it said it was associated with (Daemon tools) It still would not let me remove AdVantage.

Step 2: I removed all the optionals with one exception. O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
ONly because my partner uses that program a lot and has a fit if the little icons are not precisely where they are suppose to be. Saves me a headache. *grin*

Step 3: All went well until I got to cleanmgr. In taskmanager I checked and it took the CPU to 100% but after 40 minutes nothing had happened on the scan bar. That did not seem right so I rebooted and tried again to no avail.

Step 4: Here are the logs.

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-24 17:22:30
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT spdg.sys ZwCreateKey [0xF77110E0]
SSDT spdg.sys ZwEnumerateKey [0xF772ECA2]
SSDT spdg.sys ZwEnumerateValueKey [0xF772F030]
SSDT spdg.sys ZwOpenKey [0xF77110C0]
SSDT spdg.sys ZwQueryKey [0xF772F108]
SSDT spdg.sys ZwQueryValueKey [0xF772EF88]
SSDT spdg.sys ZwSetValueKey [0xF772F19A]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAAD809AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAAD80959]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAAD8096D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAAD80A5C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAAD80A88]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAAD809EB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAAD80B22]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAAD80931]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAAD80945]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAAD809BF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAAD80ACA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAAD80A72]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAAD80B4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAAD80B37]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAAD80997]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAAD80983]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAAD80A1A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAAD80B0C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAAD80A01]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAAD809D5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 805004B4 7 Bytes JMP AAD809D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 80557C20 5 Bytes JMP AAD809AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8055C6B0 5 Bytes JMP AAD80A05 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8055CA31 7 Bytes JMP AAD809EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80561A24 5 Bytes JMP AAD80935 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80562032 5 Bytes JMP AAD80987 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80564AAE 7 Bytes JMP AAD809C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8056DFC1 6 Bytes JMP AAD80B26 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80574107 7 Bytes JMP AAD80971 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8057556E 6 Bytes JMP AAD80A1E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 80578BC7 5 Bytes JMP AAD80949 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 8057FB38 7 Bytes JMP AAD80A8C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80585F16 7 Bytes JMP AAD80A60 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805A7DCD 1 Byte [ E9 ]
PAGE ntoskrnl.exe!ZwCreateProcess + 2 805A7DCF 3 Bytes [ 8B, 7D, 2A ]
PAGE ntoskrnl.exe!ZwSetContextThread 805C840F 5 Bytes JMP AAD8099B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8062D06A 5 Bytes JMP AAD80B3B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8062D304 7 Bytes JMP AAD80B10 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8062DA4A 7 Bytes JMP AAD80ACE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8062DDBF 7 Bytes JMP AAD80A76 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8062E1A1 6 Bytes JMP AAD80B4F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spdg.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F5FACA80 5 Bytes JMP 8651A1D8

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtect 77E616A2 5 Bytes JMP 00F90078
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoW 77E616EE 5 Bytes JMP 00F90F59
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetStartupInfoA 77E61782 5 Bytes JMP 00F900B5
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessW 77E61B92 5 Bytes JMP 00F90F23
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateProcessA 77E61BC0 5 Bytes JMP 00F90F48
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!GetProcAddress 77E693FA 5 Bytes JMP 00F900ED
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryW 77E6AFB1 5 Bytes JMP 00F90FBF
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExW 77E6B6CC 5 Bytes JMP 00F90067
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileW 77E6BA58 5 Bytes JMP 00F9001C
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateFileA 77E6C0CE 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryExA 77E6CF95 5 Bytes JMP 00F90FAE
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!LoadLibraryA 77E6CFB5 5 Bytes JMP 00F90049
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!VirtualProtectEx 77E6D399 5 Bytes JMP 00F90089
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreatePipe 77E77551 5 Bytes JMP 00F90F6A
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeW 77E7DE5E 5 Bytes JMP 00F90FDA
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!WinExec 77E82CF5 5 Bytes JMP 00F900D1
.text C:\WINDOWS\system32\services.exe[768] kernel32.dll!CreateNamedPipeA 77E94605 5 Bytes JMP 00F9002D
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD1A8B 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD1C89 5 Bytes JMP 00B80FC8
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD229A 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DD27D6 5 Bytes JMP 00B80F85
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyA 77DD28BB 5 Bytes JMP 00B80022
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD2D24 5 Bytes JMP 00B80F69
.text C:\WINDOWS\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyW 77DD52B8 5 Bytes JMP 00B80F96
.text C:\WINDOWS\system32\services.exe[768] WS2_32.dll!socket 71ABD159 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtect 77E616A2 5 Bytes JMP 00DB007D
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoW 77E616EE 5 Bytes JMP 00DB00C7
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetStartupInfoA 77E61782 5 Bytes JMP 00DB0F6B
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessW 77E61B92 5 Bytes JMP 00DB010F
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateProcessA 77E61BC0 5 Bytes JMP 00DB00F4
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetProcAddress 77E693FA 5 Bytes JMP 00DB0120
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryW 77E6AFB1 5 Bytes JMP 00DB0FB7
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExW 77E6B6CC 5 Bytes JMP 00DB006C
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileW 77E6BA58 5 Bytes JMP 00DB0011
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateFileA 77E6C0CE 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryExA 77E6CF95 5 Bytes JMP 00DB0F99
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!LoadLibraryA 77E6CFB5 5 Bytes JMP 00DB0FC8
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!VirtualProtectEx 77E6D399 5 Bytes JMP 00DB0099
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreatePipe 77E77551 5 Bytes JMP 00DB00AA
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeW 77E7DE5E 5 Bytes JMP 00DB0FD9
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!WinExec 77E82CF5 5 Bytes JMP 00DB00E3
.text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeA 77E94605 5 Bytes JMP 00DB002C
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD1A8B 5 Bytes JMP 00DA0FD9
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD1C89 5 Bytes JMP 00DA001C
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD229A 5 Bytes JMP 00DA002D
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DD27D6 5 Bytes JMP 00DA0F8F
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyA 77DD28BB 5 Bytes JMP 00DA0FBD
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD2D24 5 Bytes JMP 00DA0F7E
.text C:\WINDOWS\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW 77DD52B8 5 Bytes JMP 00DA0FA0
.text C:\WINDOWS\system32\lsass.exe[780] WS2_32.dll!socket 71ABD159 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 77E616A2 5 Bytes JMP 00940F70
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 77E616EE 5 Bytes JMP 009400A9
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 77E61782 5 Bytes JMP 00940F4E
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 77E61B92 5 Bytes JMP 00940F0F
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 77E61BC0 5 Bytes JMP 00940F20
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 77E693FA 5 Bytes JMP 00940EFE
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 77E6AFB1 5 Bytes JMP 00940F8F
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 77E6B6CC 5 Bytes JMP 00940048
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 77E6BA58 5 Bytes JMP 00940FE4
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 77E6C0CE 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 77E6CF95 5 Bytes JMP 00940037
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 77E6CFB5 5 Bytes JMP 00940FAD
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 77E6D399 5 Bytes JMP 00940070
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 77E77551 5 Bytes JMP 00940F5F
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 77E7DE5E 5 Bytes JMP 0094001B
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 77E82CF5 5 Bytes JMP 00940F31
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 77E94605 5 Bytes JMP 00940FC8
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD1A8B 5 Bytes JMP 0093003D
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD1C89 5 Bytes JMP 00930016
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD229A 5 Bytes JMP 00930FDE
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DD27D6 5 Bytes JMP 0093007C
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DD28BB 5 Bytes JMP 0093004E
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD2D24 5 Bytes JMP 0093008D
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DD52B8 5 Bytes JMP 0093005F
.text C:\WINDOWS\system32\svchost.exe[964] WS2_32.dll!socket 71ABD159 5 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtect 77E616A2 5 Bytes JMP 01B6005F
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 77E616EE 5 Bytes JMP 01B60081
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 77E61782 5 Bytes JMP 01B60F31
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessW 77E61B92 5 Bytes JMP 01B60EE8
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateProcessA 77E61BC0 5 Bytes JMP 01B60EF9
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!GetProcAddress 77E693FA 5 Bytes JMP 01B60ECD
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryW 77E6AFB1 5 Bytes JMP 01B60030
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 77E6B6CC 5 Bytes JMP 01B6004E
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileW 77E6BA58 5 Bytes JMP 01B60FEF
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateFileA 77E6C0CE 5 Bytes JMP 01B6000B
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 77E6CF95 5 Bytes JMP 01B60F87
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!LoadLibraryA 77E6CFB5 5 Bytes JMP 01B60FA6
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 77E6D399 5 Bytes JMP 01B60070
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreatePipe 77E77551 5 Bytes JMP 01B60F42
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 77E7DE5E 5 Bytes JMP 01B60FB7
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!WinExec 77E82CF5 5 Bytes JMP 01B60F14
.text C:\WINDOWS\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 77E94605 5 Bytes JMP 01B60FD3
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD1A8B 5 Bytes JMP 01B50FBC
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD1C89 5 Bytes JMP 01B50FDE
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD229A 5 Bytes JMP 01B50FCD
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes JMP 01B50FEF
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DD27D6 5 Bytes JMP 01B50054
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DD28BB 5 Bytes JMP 01B50FA0
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD2D24 5 Bytes JMP 01B50F8F
.text C:\WINDOWS\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DD52B8 5 Bytes JMP 01B50038
.text C:\WINDOWS\System32\svchost.exe[1072] WS2_32.dll!socket 71ABD159 5 Bytes JMP 01B30FE5
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenA 63017790 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlA 63017F59 5 Bytes JMP 00FF0FCD
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenW 6301A0E4 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\System32\svchost.exe[1072] WININET.dll!InternetOpenUrlW 6301A3FB 5 Bytes JMP 00FF0FB1
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 77E616A2 5 Bytes JMP 00640082
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 77E616EE 5 Bytes JMP 006400CC
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 77E61782 5 Bytes JMP 006400BB
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 77E61B92 5 Bytes JMP 00640F28
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 77E61BC0 5 Bytes JMP 00640F39
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 77E693FA 5 Bytes JMP 00640F0D
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 77E6AFB1 5 Bytes JMP 00640052
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 77E6B6CC 5 Bytes JMP 00640071
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileW 77E6BA58 5 Bytes JMP 00640000
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateFileA 77E6C0CE 5 Bytes JMP 00640FE4
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 77E6CF95 5 Bytes JMP 00640FAA
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 77E6CFB5 5 Bytes JMP 00640041
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 77E6D399 5 Bytes JMP 00640F8D
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreatePipe 77E77551 5 Bytes JMP 00640F7C
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 77E7DE5E 5 Bytes JMP 00640FC8
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!WinExec 77E82CF5 5 Bytes JMP 00640F54
.text C:\WINDOWS\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 77E94605 5 Bytes JMP 0064001B
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD1A8B 5 Bytes JMP 00630FAC
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD1C89 5 Bytes JMP 0063000B
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD229A 5 Bytes JMP 00630FC8
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes JMP 00630FEF
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DD27D6 5 Bytes JMP 0063002D
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DD28BB 5 Bytes JMP 00630F9B
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD2D24 5 Bytes JMP 0063003E
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DD52B8 5 Bytes JMP 0063001C
.text C:\WINDOWS\System32\svchost.exe[1220] WS2_32.dll!socket 71ABD159 5 Bytes JMP 00610FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1236] kernel32.dll!LoadLibraryW 77E6AFB1 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1236] kernel32.dll!LoadLibraryA 77E6CFB5 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 77E616A2 5 Bytes JMP 006F0059
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 77E616EE 5 Bytes JMP 006F00B2
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 77E61782 5 Bytes JMP 006F00A1
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 77E61B92 5 Bytes JMP 006F0F0E
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 77E61BC0 5 Bytes JMP 006F0F29
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetProcAddress 77E693FA 5 Bytes JMP 006F0EF3
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryW 77E6AFB1 5 Bytes JMP 006F0FAD
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 77E6B6CC 5 Bytes JMP 006F0048
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileW 77E6BA58 5 Bytes JMP 006F0FDE
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileA 77E6C0CE 5 Bytes JMP 006F0FEF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 77E6CF95 5 Bytes JMP 006F0F81
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryA 77E6CFB5 5 Bytes JMP 006F0037
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 77E6D399 5 Bytes JMP 006F0F64
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreatePipe 77E77551 5 Bytes JMP 006F0084
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 77E7DE5E 5 Bytes JMP 006F001C
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WinExec 77E82CF5 5 Bytes JMP 006F0F45
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 77E94605 5 Bytes JMP 006F000B
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD1A8B 5 Bytes JMP 005C003E
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD1C89 5 Bytes JMP 005C0011
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD229A 5 Bytes JMP 005C0022
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes JMP 005C0000
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DD27D6 5 Bytes JMP 005C006B
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DD28BB 5 Bytes JMP 005C004F
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD2D24 5 Bytes JMP 005C007C
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DD52B8 5 Bytes JMP 005C0FC3
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!socket 71ABD159 5 Bytes JMP 005A0FEF
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenA 63017790 5 Bytes JMP 00590FEF
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenUrlA 63017F59 5 Bytes JMP 0059000D
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenW 6301A0E4 5 Bytes JMP 00590FDE
.text C:\WINDOWS\system32\svchost.exe[1332] WININET.dll!InternetOpenUrlW 6301A3FB 5 Bytes JMP 00590FB6
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!VirtualProtect 77E616A2 5 Bytes JMP 00570F66
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!GetStartupInfoW 77E616EE 5 Bytes JMP 00570F2E
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!GetStartupInfoA 77E61782 5 Bytes JMP 00570F4A
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateProcessW 77E61B92 5 Bytes JMP 005700D2
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateProcessA 77E61BC0 5 Bytes JMP 005700B7
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!GetProcAddress 77E693FA 5 Bytes JMP 005700ED
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!LoadLibraryW 77E6AFB1 5 Bytes JMP 00570FA2
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!LoadLibraryExW 77E6B6CC 5 Bytes JMP 0057004A
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateFileW 77E6BA58 5 Bytes JMP 00570011
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateFileA 77E6C0CE 5 Bytes JMP 00570000
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!LoadLibraryExA 77E6CF95 5 Bytes JMP 00570F83
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!LoadLibraryA 77E6CFB5 5 Bytes JMP 00570FB3
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!VirtualProtectEx 77E6D399 5 Bytes JMP 0057005B
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreatePipe 77E77551 5 Bytes JMP 00570089
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateNamedPipeW 77E7DE5E 5 Bytes JMP 00570FD9
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!WinExec 77E82CF5 5 Bytes JMP 005700A6
.text C:\WINDOWS\System32\svchost.exe[1464] kernel32.dll!CreateNamedPipeA 77E94605 5 Bytes JMP 00570022
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExW 77DD1A8B 5 Bytes JMP 0056001C
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyW 77DD1C89 5 Bytes JMP 00560FDE
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyExA 77DD229A 5 Bytes JMP 0056000B
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes JMP 00560FEF
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExA 77DD27D6 5 Bytes JMP 0056002D
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyA 77DD28BB 5 Bytes JMP 00560FAC
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyExW 77DD2D24 5 Bytes JMP 00560F68
.text C:\WINDOWS\System32\svchost.exe[1464] ADVAPI32.dll!RegCreateKeyW 77DD52B8 5 Bytes JMP 00560F90
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!VirtualProtect 77E616A2 5 Bytes JMP 00E7009D
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!GetStartupInfoW 77E616EE 3 Bytes JMP 00E70F62
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!GetStartupInfoW + 4 77E616F2 1 Byte [ 89 ]
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!GetStartupInfoA 77E61782 5 Bytes JMP 00E700C9
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!CreateProcessW 77E61B92 5 Bytes JMP 00E70111
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!CreateProcessA 77E61BC0 5 Bytes JMP 00E70100
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!GetProcAddress 77E693FA 5 Bytes JMP 00E70122
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!LoadLibraryW 77E6AFB1 3 Bytes JMP 00E70FC7
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!LoadLibraryW + 4 77E6AFB5 1 Byte [ 89 ]
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!LoadLibraryExW 77E6B6CC 5 Bytes JMP 00E7008C
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!CreateFileW 77E6BA58 5 Bytes JMP 00E7001C
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!CreateFileA 77E6C0CE 5 Bytes JMP 00E70000
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!LoadLibraryExA 77E6CF95 5 Bytes JMP 00E7006F
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!LoadLibraryA 77E6CFB5 5 Bytes JMP 00E7005E
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!VirtualProtectEx 77E6D399 5 Bytes JMP 00E70F9D
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!CreatePipe 77E77551 5 Bytes JMP 00E70F7E
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!CreateNamedPipeW 77E7DE5E 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!WinExec 77E82CF5 5 Bytes JMP 00E700E5
.text C:\WINDOWS\Explorer.EXE[1560] kernel32.dll!CreateNamedPipeA 77E94605 5 Bytes JMP 00E70038
.text C:\WINDOWS\Explorer.EXE[1560] ADVAPI32.dll!RegOpenKeyExW 77DD1A8B 5 Bytes JMP 00E6002D
.text C:\WINDOWS\Explorer.EXE[1560] ADVAPI32.dll!RegOpenKeyW 77DD1C89 5 Bytes JMP 00E6000B
.text C:\WINDOWS\Explorer.EXE[1560] ADVAPI32.dll!RegOpenKeyExA 77DD229A 5 Bytes JMP 00E6001C
.text C:\WINDOWS\Explorer.EXE[1560] ADVAPI32.dll!RegOpenKeyA 77DD23D9 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\Explorer.EXE[1560] ADVAPI32.dll!RegCreateKeyExA 77DD27D6 1 Byte [ E9 ]
.text C:\WINDOWS\Explorer.EXE[1560] ADVAPI32.dll!RegCreateKeyExA + 2 77DD27D8 3 Bytes [ D8, 08, 89 ]
.text C:\WINDOWS\Explorer.EXE[1560] ADVAPI32.dll!RegCreateKeyA 77DD28BB 5 Bytes JMP 00E60FBD
.text C:\WINDOWS\Explorer.EXE[1560] ADVAPI32.dll!RegCreateKeyExW 77DD2D24 5 Bytes JMP 00E60FA1
.text C:\WINDOWS\Explorer.EXE[1560] ADVAPI32.dll!RegCreateKeyW 77DD52B8 5 Bytes JMP 00E60055
.text C:\WINDOWS\Explorer.EXE[1560] WS2_32.dll!socket 71ABD159 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\Explorer.EXE[1560] WININET.dll!InternetOpenA 63017790 5 Bytes JMP 00990FEF
.text C:\WINDOWS\Explorer.EXE[1560] WININET.dll!InternetOpenUrlA 63017F59 5 Bytes JMP 0099002A
.text C:\WINDOWS\Explorer.EXE[1560] WININET.dll!InternetOpenW 6301A0E4 5 Bytes JMP 0099000D
.text C:\WINDOWS\Explorer.EXE[1560] WININET.dll!InternetOpenUrlW 6301A3FB 5 Bytes JMP 0099003B

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 867772D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F77376D0] spdg.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F773B708] spdg.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7712046] spdg.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7712142] spdg.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F77120C4] spdg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F77127CE] spdg.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F77126A4] spdg.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[NTOSKRNL.EXE!DbgBreakPoint] 8651A2D8
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F771DD7A] spdg.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 867E21F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \FatCdrom 863F1500

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 864F31F8
Device \Driver\usbuhci \Device\USBPDO-1 864F31F8
Device \Driver\usbuhci \Device\USBPDO-2 864F31F8
Device \Driver\usbuhci \Device\USBPDO-3 864F31F8
Device \Driver\usbehci \Device\USBPDO-4 864C31F8

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\USBSTOR \Device\00000070 864A31F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 867E41F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{39D3EC43-968A-4F9F-8359-4000FCCB77E6} 8637F500
Device \Driver\Ftdisk \Device\HarddiskVolume2 867E41F8
Device \Driver\USBSTOR \Device\00000072 864A31F8
Device \Driver\USBSTOR \Device\00000073 864A31F8
Device \Driver\USBSTOR \Device\00000074 864A31F8
Device \Driver\USBSTOR \Device\00000075 864A31F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8637F500
Device \Driver\NetBT \Device\NetbiosSmb 8637F500

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 864F31F8
Device \Driver\usbuhci \Device\USBFDO-1 864F31F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86390500
Device \Driver\usbuhci \Device\USBFDO-2 864F31F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86390500
Device \Driver\usbuhci \Device\USBFDO-3 864F31F8
Device \Driver\usbehci \Device\USBFDO-4 864C31F8
Device \Driver\Ftdisk \Device\FtControl 867E41F8
Device \FileSystem\Fastfat \Fat 863F1500

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs 863BF500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC9 0x1D 0xB1 0x24 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC9 0x1D 0xB1 0x24 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\System32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.14 ----

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:08 PM, on 4/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 6441 bytes

#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:59 PM

Posted 24 April 2008 - 04:25 PM

Hi Igloochick

I could not remove AdVantage It told me the files I was looking for could not be found.

Ok, not to worry.... we'll remove it another way.

with one exception. O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

That's perfectly ok.... they were 'optional' anyway.

All went well until I got to cleanmgr.

We'll do this another way then.

Step 1
Please download ATF Cleaner by Atribune. (This program is for XP, Vista and Windows 2000 )Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Note: If you are using Vista... please right click the desktop icon and select 'Run as Administrator'.

Step 2
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Folder::
C:\Program Files\AdVantage
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 3
Please run the F-Secure Online Scanner

Note: This Scanner is for use with Internet Explorer Only!

Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs, Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy & Paste the entire report in your next reply.

In your next reply, please submit.
New ComboFix.txt
F Secure scan report
and a new Hjt log

Thanks.

BBPP6nz.png


#10 Igloochick

Igloochick
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 25 April 2008 - 10:50 AM

Hi Starbuck,

All processes were able to be completed this time.

Thanks. Here are the logs.

What was the spyware that F-secure removed? I know I've seen that on my system for quite some time.

ComboFix 08-04-20.5 - Owner 2008-04-25 9:58:20.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.642 [GMT -3:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AdVantage
C:\Program Files\AdVantage\AdVantage.exe
C:\Program Files\AdVantage\AdVantage.htm
C:\Program Files\AdVantage\AdVUninst.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 17:11 . 2008-04-24 17:11 250 --a------ C:\WINDOWS\gmer.ini
2008-04-23 17:01 . 2008-04-23 17:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-23 17:01 . 2008-04-23 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-20 18:09 . 2008-04-20 18:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 17:52 . 2008-04-20 17:52 <DIR> d-------- C:\Deckard
2008-04-19 19:02 . 2008-04-21 21:20 1,076 --a------ C:\WINDOWS\wininit.ini
2008-04-12 10:04 . 2008-04-12 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 01:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-04-25 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-22 19:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-04-19 21:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-19 15:44 --------- d-----w C:\Program Files\Trillian
2008-04-18 21:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-30 16:10 --------- d-----w C:\Program Files\McAfee
2008-03-23 14:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 16:00 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-22 15:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-04 14:09 --------- d-----w C:\Program Files\Maxis
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_16.21.27.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 19:17:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 12:45:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 20:11:40 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 23:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
- 2008-04-22 19:17:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-25 12:50:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-22 19:17:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-25 12:50:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-22 19:17:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-25 12:50:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-24 20:11:40 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2005-05-24 15:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 18:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 18:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-06 16:38:01 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-22 19:19:29 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-06 16:38:01 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-22 19:19:29 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-01-26 07:24 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 21:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 00:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 13:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2003-11-03 21:50 221184]
"VTTimer"="VTTimer.exe" []
"LTMSG"="LTMSG.exe" [2003-07-14 22:52 40960 C:\WINDOWS\ltmsg.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-13 00:13 98304]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2004-03-10 17:26 406016]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 18:57 36640]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" [2004-07-30 12:04 245760]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2004-01-27 07:26:18 557056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\System32\DRIVERS\V0080Dev.sys [2004-10-09 06:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 05:42:02 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 05:00:29 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 09:59:35
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-04-25 10:01:05
ComboFix-quarantined-files.txt 2008-04-25 13:00:46
ComboFix2.txt 2008-04-23 19:57:14
ComboFix3.txt 2008-04-22 19:21:43

Pre-Run: 123,577,241,600 bytes free
Post-Run: 123,594,084,352 bytes free

108 --- E O F --- 2008-04-12 12:39:12




Scanning Report
Friday, April 25, 2008 10:08:28 - 12:41:01

Computer name: LILBRAT
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 1 malware found
RiskTool.Win32.PsKill (spyware)

* System

Statistics
Scanned:

* Files: 38504
* System: 3731
* Not scanned: 10

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\MCAFEE_8MPZYEJUGHBQR3C
* C:\WINDOWS\TEMP\MCMSC_3OES6MCMEQNZVD8
* C:\WINDOWS\TEMP\MCMSC_U0LVNA52BYLUPI2
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:07 PM, on 4/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 6450 bytes

#11 Igloochick

Igloochick
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 25 April 2008 - 10:59 AM

Hey Starbuck.

I just noticed something very odd. When I come to this site now via Firefox it looks odd. It reminds me of...well sometimes if a website has colors that I cannot read easily I'll go into firefox tools, options, fonts and colors, advanced and unclick the allow sites to choose their own fonts and colors. I double checked that by the way and it is as it is suppose to be. And all my other sites seem to be coming up properly and I checked this site on my other system and it looks normal. So I am baffled. I jsut checked the site via IE and it looks like it is suppose to as well. Weird.

Edited by Igloochick, 25 April 2008 - 11:01 AM.


#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:59 PM

Posted 25 April 2008 - 12:33 PM

Hi Igloochick

So I am baffled. I just checked the site via IE and it looks like it is suppose to as well. Weird.

The same thing has happened to me over the last week or so.
If i used Firefox... sometimes this site would look ok, another time it looked really odd. I to found that it was only this site.
I wouldn't worry about, you're not alone on this.

What was the spyware that F-secure removed?

It is part of the Backweb program that HP installs on all Pavilion PC's.
It's labeled "riskware" because it is an application, that can be used by malware to kill vital processes.
HP says it's a necessary program, but others disagree.
It was just F-Secure being cautious.

Now that everything is looking a lot better, are you ready to try the upgrade to SP2?
Your Java is well out of date.... but the newer version will only work with SP2.
So we'll go for the upgrade and then install the latest Java update.

Step 1
First we'll remove ComboFix.

Please uninstall ComboFix by
Clicking on Start ...then run ... and type in combofix /u (don't forget there's is a gap between x and /) Then press Ok
Posted Image

When shown the disclaimer, Select "2"

This action will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Reset System Restore.

Step 2
You should use Internet Explorer for this.
Click ...Start ... All Programs ... Windows Updates.
Let it check your system for any updates.
When the list comes up.... click on Express Install, to install the updates.
It may ask you to reboot your system when it finishes.
When completed... go back and check for more updates, keep doing this until it says there is no available updates for your system.
It may not give them all to you the first time.

Please do not have any other programs running or use your pc whilst downloading the updates.

When finished....

Step 3
Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
In your next reply, please submit:
A new Hjt log.
and let me know if you had any problems.

Thanks

BBPP6nz.png


#13 Igloochick

Igloochick
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 25 April 2008 - 03:20 PM

Starbuck!!!We DID it! *happy dance* The upgrades all went smooth as could be. Thank you so very much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:13 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ngen.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [NetFxUpdate_v1.1.4322] "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 0 v1.1.4322 GAC + NI NID
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 7210 bytes

#14 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:59 PM

Posted 25 April 2008 - 04:16 PM

Well done Igloochick :thumbsup:

You now have an up to date operating system that is a lot more secure than you had previously.

Your logs looking good now, is everything running smoothly now?

BBPP6nz.png


#15 Igloochick

Igloochick
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 25 April 2008 - 05:15 PM

:thumbsup: :blink:

It is running great Starbuck.

Again, thank you so very much you are a superstar!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users