Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remotely controlled ?


  • This topic is locked This topic is locked
53 replies to this topic

#1 DRUMz

DRUMz

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 29 January 2009 - 06:27 PM

Hi. I got something on my computer since 2 weeks ago, I think it's a virus, but none of my 8 virusscanners could find one,
My mouse automaticly moves, clicks and drags , not doing anything serious, just clicking in the middle of nowhere on my screen. It disabled my firewall though. ( I think, because it was disabled, and I didn't do it )
After a week, the mouse did move to exact positions. it shutdown my explorer, send a buzzer on msn, went to start, and pressed 'shutdown'. I couldn't restart my computer after that,
after like have tried 10 times to restart my computer , I finally got in safe mode, noticed that McAfee totally was messed up. after noticing that, I set my pc 10 days back, and the pc was working again.
I thought it was over. But it started again the next day. The mouse was moving again, and when I shutdown my internet, it stopped. My firewall isn't doing anything about it.
I've asked a mate, he thinks I got a kind of trojan, and that a Hacker uses it to remote control my computer.

Here's my log.
Attached File  logg.txt   12.07KB   30 downloads





I hope you guys/girls can help me.
Sorry for my english, I'm 15 and from The Netherlands.
Many thanks.

Jesse Grooten.

Edited by DRUMz, 29 January 2009 - 06:39 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 AM

Posted 07 February 2009 - 07:06 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 DRUMz

DRUMz
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 10 February 2009 - 01:09 PM

Hi.

I've scanned my computer, and here are the results:
DDS (Ver_09-02-01.01) - NTFSx86
Run by Jesse at 19:04:31,98 on di 10-02-2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.31.1043.18.2047.587 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
c:\hp\HPEZBTN\HPBtnSrv.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\ehome\ehsched.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\ehome\ehRecvr.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Creative\Sound Blaster X-Fi Surround 5.1\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Steam\Steam.exe
C:\Users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\DVDVideoSoft\FreeStudioManager.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Users\Jesse\AppData\Local\Temp\Rar$EX00.607\gmer.exe
C:\Users\Jesse\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: {E9349597-6E81-47F3-B05D-469763764FB7} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Google Update] "c:\users\jesse\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Netlog Music Tool] "c:\program files\netlog music tool\NetlogMusicTool.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSServer] rundll32.exe c:\windows\system32\opnKEtSj.dll,#1
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi surround 5.1\volume panel\VolPanlu.exe" /r
mRun: [Module Loader] c:\program files\creative\shared files\module loader\DLLML.exe -StartUpRun
mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
SEH: {E9349597-6E81-47F3-B05D-469763764FB7} - No File

============= SERVICES / DRIVERS ===============

R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 HPBtnSrv;HP Chasis Button Service;c:\hp\hpezbtn\HPBtnSrv.exe [2007-9-8 198240]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-3-13 809296]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-9-8 968064]
R3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2008-12-27 450944]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-2-26 493568]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\drivers\lgmcbus.sys [2008-8-16 83584]
S3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\drivers\lgmcmdfl.sys [2008-8-16 14976]
S3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\drivers\lgmcmdm.sys [2008-8-16 110464]
S3 lgmcmgmt;LGE Mobile USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\lgmcmgmt.sys [2008-8-16 104448]
S3 lgmcnd5;LGE Mobile USB WMC Ethernet ELDA (NDIS);c:\windows\system32\drivers\lgmcnd5.sys [2008-8-16 25344]
S3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\drivers\lgmcobex.sys [2008-8-16 100480]
S3 lgmcunic;LGE Mobile USB WMC Ethernet ELDA (WDM);c:\windows\system32\drivers\lgmcunic.sys [2008-8-16 109952]
S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\PFC027.SYS [2006-12-5 507136]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"
regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-10 19:03 250 a------- c:\windows\gmer.ini
2009-02-08 18:59 <DIR> --d----- c:\programdata\Azureus
2009-02-08 18:59 <DIR> --d----- c:\progra~2\Azureus
2009-02-08 18:59 <DIR> --d----- c:\users\jesse\appdata\roaming\Azureus
2009-02-08 18:59 <DIR> --d----- c:\program files\Vuze
2009-02-08 17:51 <DIR> --d----- c:\users\jesse\.thumbnails
2009-02-08 17:48 <DIR> --d----- c:\users\jesse\.gimp-2.4
2009-02-08 17:48 <DIR> --d----- c:\program files\GIMP-2.0
2009-02-07 15:41 <DIR> --d----- c:\program files\PhotoFiltre
2009-02-05 00:29 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-05 00:29 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-05 00:29 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-05 00:29 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-05 00:29 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-05 00:29 11,264 a------- c:\windows\system32\icardres.dll
2009-02-05 00:29 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-05 00:29 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-05 00:21 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-05 00:21 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-05 00:21 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-05 00:20 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-05 00:20 83,968 a------- c:\windows\system32\mscories.dll
2009-01-26 23:08 <DIR> --d----- c:\program files\Audacity 1.3 Beta (Unicode)
2009-01-26 21:56 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 22:52 <DIR> --d----- c:\program files\a-squared Free
2009-01-24 14:11 <DIR> --d----- c:\program files\Lavasoft
2009-01-24 14:08 <DIR> --d----- c:\users\jesse\.housecall6.6
2009-01-22 00:33 <DIR> --d----- C:\restorepoint
2009-01-15 18:37 <DIR> --d----- c:\program files\Netlog Music Tool
2009-01-13 20:00 288,768 a------- c:\windows\system32\drivers\srv.sys

==================== Find3M ====================

2009-02-07 15:26 676,772 a------- c:\windows\system32\perfh013.dat
2009-02-07 15:26 131,268 a------- c:\windows\system32\perfc013.dat
2009-02-05 23:42 14,286 a------- c:\users\jesse\appdata\roaming\wklnhst.dat
2008-12-27 12:39 51,200 a------- c:\windows\inf\infpub.dat
2008-12-27 12:39 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-27 12:39 86,016 a------- c:\windows\inf\infstor.dat
2008-12-27 12:38 413,696 a------- c:\windows\system32\wrap_oal.dll
2008-12-27 12:38 110,592 a------- c:\windows\system32\OpenAL32.dll
2008-12-05 00:31 308,584 a------- c:\windows\WLXPGSS.SCR
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-23 10:36 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-09-14 16:48 24 a------- c:\users\jesse\jagex_runescape_preferences.dat
2008-06-19 16:47 174 a--sh--- c:\program files\desktop.ini
2008-06-18 22:49 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-19 17:14 22,328 a------- c:\users\jesse\appdata\roaming\PnkBstrK.sys
2007-09-08 14:55 336,440 a------- c:\windows\inf\perflib\0413\perfi.dat
2007-09-08 14:55 336,440 a------- c:\windows\inf\perflib\0413\perfh.dat
2007-09-08 14:55 41,976 a------- c:\windows\inf\perflib\0413\perfd.dat
2007-09-08 14:55 41,976 a------- c:\windows\inf\perflib\0413\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-01-23 23:41 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-01-23 23:41 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-01-23 23:41 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-06-17 21:26 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-06-17 21:26 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-06-17 21:26 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-09-08 15:11 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:05:20,06 ===============











Many thanks,


Jesse Grooten.

Attached Files


Edited by PropagandaPanda, 11 February 2009 - 03:50 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 AM

Posted 10 February 2009 - 03:27 PM

Hello.

Are you able to run GMER? It is likely that any remote control software uses rootkits.

With Regards,
The Panda

#5 DRUMz

DRUMz
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 11 February 2009 - 12:54 PM

I'm sorry, I thought the DDS file was from gmer .


Here it is :

Attached File  gmer.log   4.07KB   30 downloads

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-11 18:53:12
Windows 6.0.6001 Service Pack 1


---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: MBR rootkit code detected

---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8D7819DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8D781978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8D78198C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8D781A1C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8D781A5F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8D781950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8D781964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8D7819F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8D781A87]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8D781A73]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8D7819CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8D7819B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8D781A4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8D781A32]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8D781A08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8D7819A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----

Edited by PropagandaPanda, 07 March 2009 - 05:17 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 AM

Posted 11 February 2009 - 04:00 PM

Hello DRUMz.

I do see signs of infection, though not a remoting program.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :processes
    rundll32.exe
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSServer"=-
    
    :files
    c:\windows\system32\opnKEtSj.dll
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

F-Secure Online Scan
Please run F-Secure Online Scanner to check for anything we've missed.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the OTMoveIt log
-the F-Secure scan log
-a new DDS.txt log

Any sign of infection at the moment?

With Regards,
The Panda

#7 DRUMz

DRUMz
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 11 February 2009 - 05:51 PM

I'll do that tomorrow,

and yes, well, the mouse still moves etc.
Even a little more, It doesnt always do that,
and I think something is activating it, because,
When I download, a foto or etc, it starts
sometimes when i run a program, it starts.
that kind of things,


but ye i'll post the things tomorrow,
first some sleep.

Many thanks,
The Jesse

Hehe .

Edited by DRUMz, 11 February 2009 - 05:52 PM.


#8 DRUMz

DRUMz
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 12 February 2009 - 04:42 PM

First MoveITlog
Attached File  moveit.log   2.98KB   23 downloads

After Reboot MoveitLog.
Attached File  02122009_205633.log   9.66KB   21 downloads

The DDS log:
Attached File  newDDS.log   16.56KB   18 downloads


After these 3 scans, and still busy with F-Secure, it started again,
dragging the mouse from the left of the screen to the right and back,
very fast and wild.
After that it went to start while I was trying to type this,
It quited after ~5 min.

The F-Secure log:
Attached File  F_Secure.log   4.77KB   28 downloads


It found 4 threats,
he didn't delete or whatsoever.


Many thanks,

Jesse.

Edited by DRUMz, 13 February 2009 - 12:12 PM.


#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 AM

Posted 12 February 2009 - 06:02 PM

Hello.

Let's see if some more scanners can pick up anything we missed.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Also include a new DDS.txt please.

With Regards,
The Panda

#10 DRUMz

DRUMz
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 18 February 2009 - 11:44 AM

Sorry , I wasnt at home for a while.
Ill do the tests now,

this message is just that you know that the problem isnt over yet.

Regards,

Jesse

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 AM

Posted 18 February 2009 - 04:49 PM

That's fine with me.

The Panda

#12 DRUMz

DRUMz
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 19 February 2009 - 08:53 AM

The Malware program found 4 kinds of viruses .
It said it removed it,

Here are the logs:

Kaspersky:
Attached File  Kasperskyscan.txt   1.19KB   29 downloads

Malwarebytes:
Attached File  mbam_log_2009_02_19__14_32_56_.txt   1.48KB   27 downloads

It's in Dutch, I hope its not a problem for you.
Didn't expect it'll save it in my language.

The New DDS log
Attached File  newnewDDS.txt   16.14KB   21 downloads


Many thanks,

Jesse.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Jesse at 14:47:39,69 on do 19-02-2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.31.1043.18.2047.1124 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
c:\hp\HPEZBTN\HPBtnSrv.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\rundll32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Windows\system32\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Creative\Sound Blaster X-Fi Surround 5.1\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Windows\System32\rundll32.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Jesse\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Steam\Steam.exe
C:\Users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\hp\kbd\kbd.exe
C:\Users\Jesse\Desktop\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Google Update] "c:\users\jesse\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Netlog Music Tool] "c:\program files\netlog music tool\NetlogMusicTool.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi surround 5.1\volume panel\VolPanlu.exe" /r
mRun: [Module Loader] c:\program files\creative\shared files\module loader\DLLML.exe -StartUpRun
mRun: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

============= SERVICES / DRIVERS ===============

R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 HPBtnSrv;HP Chasis Button Service;c:\hp\hpezbtn\HPBtnSrv.exe [2007-9-8 198240]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-3-13 809296]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-9-8 968064]
R3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2008-12-27 450944]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-2-26 493568]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S3 lgmcbus;LGE Mobile driver (WDM);c:\windows\system32\drivers\lgmcbus.sys [2008-8-16 83584]
S3 lgmcmdfl;LGE Mobile USB WMC Modem Filter;c:\windows\system32\drivers\lgmcmdfl.sys [2008-8-16 14976]
S3 lgmcmdm;LGE Mobile USB WMC Modem Driver;c:\windows\system32\drivers\lgmcmdm.sys [2008-8-16 110464]
S3 lgmcmgmt;LGE Mobile USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\lgmcmgmt.sys [2008-8-16 104448]
S3 lgmcnd5;LGE Mobile USB WMC Ethernet ELDA (NDIS);c:\windows\system32\drivers\lgmcnd5.sys [2008-8-16 25344]
S3 lgmcobex;LGE Mobile USB WMC OBEX Interface;c:\windows\system32\drivers\lgmcobex.sys [2008-8-16 100480]
S3 lgmcunic;LGE Mobile USB WMC Ethernet ELDA (WDM);c:\windows\system32\drivers\lgmcunic.sys [2008-8-16 109952]
S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\PFC027.SYS [2006-12-5 507136]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2009-02-14 16:31 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-14 16:31 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-14 16:30 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-14 16:30 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-14 16:30 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-13 17:43 <DIR> --d----- c:\users\jesse\appdata\roaming\Malwarebytes
2009-02-13 17:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-13 17:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 17:43 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-13 17:43 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-13 17:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-12 21:19 <DIR> --d----- C:\fsaua.data
2009-02-12 21:16 105,944 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-02-12 20:56 <DIR> --d----- C:\_OTMoveIt
2009-02-11 19:36 827,392 a------- c:\windows\system32\wininet.dll
2009-02-11 19:36 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-02-10 20:20 <DIR> --d----- c:\programdata\Messenger Plus!
2009-02-10 20:20 <DIR> --d----- c:\progra~2\Messenger Plus!
2009-02-10 19:03 250 a------- c:\windows\gmer.ini
2009-02-08 18:59 <DIR> --d----- c:\programdata\Azureus
2009-02-08 18:59 <DIR> --d----- c:\progra~2\Azureus
2009-02-08 18:59 <DIR> --d----- c:\users\jesse\appdata\roaming\Azureus
2009-02-08 18:59 <DIR> --d----- c:\program files\Vuze
2009-02-08 17:51 <DIR> --d----- c:\users\jesse\.thumbnails
2009-02-08 17:48 <DIR> --d----- c:\users\jesse\.gimp-2.4
2009-02-08 17:48 <DIR> --d----- c:\program files\GIMP-2.0
2009-02-07 15:41 <DIR> --d----- c:\program files\PhotoFiltre
2009-02-06 19:55 308,616 a------- c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-05 00:29 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-05 00:29 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-05 00:29 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-05 00:29 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-05 00:29 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-05 00:29 11,264 a------- c:\windows\system32\icardres.dll
2009-02-05 00:29 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-05 00:29 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-05 00:21 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-05 00:21 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-05 00:21 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-05 00:20 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-05 00:20 83,968 a------- c:\windows\system32\mscories.dll
2009-01-26 23:08 <DIR> --d----- c:\program files\Audacity 1.3 Beta (Unicode)
2009-01-26 21:56 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 22:52 <DIR> --d----- c:\program files\a-squared Free
2009-01-24 14:11 <DIR> --d----- c:\program files\Lavasoft
2009-01-24 14:08 <DIR> --d----- c:\users\jesse\.housecall6.6
2009-01-22 00:33 <DIR> --d----- C:\restorepoint

==================== Find3M ====================

2009-02-07 15:26 676,772 a------- c:\windows\system32\perfh013.dat
2009-02-07 15:26 131,268 a------- c:\windows\system32\perfc013.dat
2009-02-05 23:42 14,286 a------- c:\users\jesse\appdata\roaming\wklnhst.dat
2008-12-27 12:39 51,200 a------- c:\windows\inf\infpub.dat
2008-12-27 12:39 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-27 12:39 86,016 a------- c:\windows\inf\infstor.dat
2008-12-27 12:38 413,696 a------- c:\windows\system32\wrap_oal.dll
2008-12-27 12:38 110,592 a------- c:\windows\system32\OpenAL32.dll
2008-11-23 10:36 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-09-14 16:48 24 a------- c:\users\jesse\jagex_runescape_preferences.dat
2008-06-19 16:47 174 a--sh--- c:\program files\desktop.ini
2008-06-18 22:49 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-19 17:14 22,328 a------- c:\users\jesse\appdata\roaming\PnkBstrK.sys
2007-09-08 14:55 336,440 a------- c:\windows\inf\perflib\0413\perfi.dat
2007-09-08 14:55 336,440 a------- c:\windows\inf\perflib\0413\perfh.dat
2007-09-08 14:55 41,976 a------- c:\windows\inf\perflib\0413\perfd.dat
2007-09-08 14:55 41,976 a------- c:\windows\inf\perflib\0413\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-01-23 23:41 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-01-23 23:41 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-01-23 23:41 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-09-08 15:11 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:49:18,39 ===============

Edited by PropagandaPanda, 19 February 2009 - 11:44 AM.


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 AM

Posted 19 February 2009 - 11:46 AM

Hello.

Just looks like a few leftovers.

Kaspersky detected a "risk tool", a program that can potentially be used for malicious purposes. Also, a keygen, which I suggest highly that you delete.

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

With Regards,
The Panda

#14 DRUMz

DRUMz
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 19 February 2009 - 02:42 PM

well. i did remove with malware, and restarted my computer.
but i've saved the logg before that.

Ill let malware scan one more time, and I'll post that.


Regards,

Jesse

Edited by DRUMz, 19 February 2009 - 02:43 PM.


#15 DRUMz

DRUMz
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 19 February 2009 - 04:12 PM

Ok. I've scanned again,
no threats found.
Can Kaspersky also delete? If it can, I've probably pressed it.
But do you think it'll be over now?

Many Thanks.

Jesse

Edited by DRUMz, 19 February 2009 - 06:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users