Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Overbached Bloodhound Infection


  • This topic is locked This topic is locked
21 replies to this topic

#1 iamabe411

iamabe411

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 28 February 2009 - 09:25 AM

So, I was dumb enough to attempt to use Combofix. I was deleting processes well untill I recognized a pattern from the another Combofix forum; I just told Combofix to delete everything not in my DIR. I am totally aware that that was foolish of me. I am not sure if it needs to be noted, but I formatted my computer 4 times and two computer techs have looked at it. The geek from the squad's drive was copied to my computer. Other symtoms include: UTF-8 browser encoding WinACE certificates, XML files, Vundo Dlls, browser redirects, corrupt downloads, a signifigant amount of DCOM/Telephony activity and I have a slight inkling that my house has a network infection (I saw that the event manager had my brother's computer' name in an event and we do not fileshare.

I will post 2 HJ'S - the first one will be my most recent and the second will include restored items.

Also, is combofix supposed to have a certificate?

I feel sorry for whoever helps me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:59 AM, on 2/28/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\h\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://onecare.live.com
------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:54 AM, on 2/28/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\h\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: iksystray.lnk = C:\ITOOLS\IntelliKeys USB\private\iksystray.exe
O13 - Gopher Prefix:
O15 - Trusted Zone: http://onecare.live.com
O23 - Service: IntelliKeys USB Service - IntelliTools, Inc. - C:\ITOOLS\INTELL~1\private\ikusbsvc.exe

*Intellikeys USB is the name of my keyboard, but I am unsure if one exe is infected.

Since the rules say to wait to post a Combofix log, I'll wait.
Thanks!

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 11 March 2009 - 02:17 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

What exactly did you do with ComboFix? I didn't understand.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 18 March 2009 - 09:14 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#4 iamabe411

iamabe411
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 26 March 2009 - 03:12 PM

Thank you very much for reopening this thread!

Here is the link to the post I wrote before I read that this post could be reopened:
bleepingcomputer.com/forums/topic214038.html

I should tell that I formatted since my first post, but the link above shows a HJT log from last night.

Here is the DDS log. I preformed the sscan last night, but stupidly, I didn't save it. Do you think the pif file could have been infected since last night?

Also, should I have preformed the scan with all my USB's plugged in? My USB drive has been plugged in only for a few minutes since the format. I am not sure if my webcam has been plugged in since.

Thanks for helping me - a user who is half as dysfunctional as her computer.


DDS (Ver_09-03-16.01) - NTFSx86
Run by s at 14:51:09.39 on Thu 03/26/2009
Internet Explorer: 7.0.6000.16809
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1014.141 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\ITOOLS\IntelliKeys USB\private\iksystray.exe
C:\Program Files\TechSmith\Snagit 9\Snagit32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\TechSmith\Snagit 9\TSCHelp.exe
C:\ITOOLS\INTELL~1\private\ikusbsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe
C:\Program Files\TechSmith\Snagit 9\snagiteditor.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\s\Downloads\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
dRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\users\s\appdata\local\temp\sva3m.SH!
StartupFolder: c:\users\s\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\iksyst~1.lnk - c:\itools\intellikeys usb\private\iksystray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\s\appdata\roaming\mozilla\firefox\profiles\rmvpd3yk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q=

============= SERVICES / DRIVERS ===============

S3 DellBIOS;DellBIOS;c:\windows\DellBIOS.Sys [2009-3-4 5120]

=============== Created Last 30 ================

2009-03-26 02:18 <DIR> --d----- c:\users\s\appdata\roaming\FreeCommander
2009-03-26 02:18 <DIR> --d----- c:\program files\FreeCommander
2009-03-25 01:00 <DIR> --d----- c:\program files\ThreatExpert Memory Scanner
2009-03-24 21:44 <DIR> --d----- c:\programdata\TechSmith
2009-03-24 21:40 <DIR> --d----- c:\program files\CCleaner
2009-03-24 21:00 8,192 a------- c:\users\s\uninstall.exe
2009-03-24 21:00 <DIR> --d----- c:\users\s\o
2009-03-24 20:58 <DIR> --d----- c:\program files\PocketRAR
2009-03-24 16:47 <DIR> --d----- c:\program files\Alex Feinman
2009-03-24 15:33 <DIR> --d----- c:\program files\Trend Micro
2009-03-22 23:01 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-22 23:01 <DIR> --d----- c:\program files\MSECACHE
2009-03-21 20:00 <DIR> --d----- c:\users\s\appdata\roaming\OpenOffice.org
2009-03-21 19:46 <DIR> --d----- c:\program files\JRE
2009-03-21 19:46 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-03-21 17:23 <DIR> --d----- c:\users\s\appdata\roaming\McAfee
2009-03-19 20:01 <DIR> --d----- c:\program files\common files\Scanner
2009-03-19 20:01 <DIR> --d----- c:\program files\ComcastToolbar
2009-03-19 20:01 <DIR> --d----- c:\users\s\appdata\roaming\ComcastToolbar
2009-03-18 22:53 8,901 a------- c:\windows\system32\Config.MPF
2009-03-18 22:53 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-18 22:49 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-18 22:49 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-18 22:49 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-18 22:49 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-18 22:49 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-18 22:49 125,728 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-18 22:48 <DIR> --d----- c:\program files\McAfee.com
2009-03-18 22:48 <DIR> --d----- c:\program files\common files\McAfee
2009-03-18 22:48 <DIR> --d----- c:\program files\McAfee
2009-03-18 22:31 <DIR> --d----- c:\programdata\McAfee
2009-03-18 22:28 <DIR> --d----- c:\users\s\appdata\roaming\PCToolsFirewallPlus
2009-03-18 18:35 <DIR> a-d----- c:\programdata\TEMP
2009-03-18 18:31 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-17 21:32 <DIR> --d----- c:\programdata\Adobe
2009-03-17 20:57 <DIR> --d----- c:\programdata\NOS
2009-03-17 17:25 97,800 a------- c:\windows\system32\infocardapi.dll
2009-03-17 17:25 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-03-17 17:25 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-03-17 17:25 622,080 a------- c:\windows\system32\icardagt.exe
2009-03-17 17:25 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-03-17 17:25 11,264 a------- c:\windows\system32\icardres.dll
2009-03-17 17:25 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-03-17 17:25 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-03-17 16:56 96,760 a------- c:\windows\system32\dfshim.dll
2009-03-17 16:56 282,112 a------- c:\windows\system32\mscoree.dll
2009-03-17 16:56 41,984 a------- c:\windows\system32\netfxperf.dll
2009-03-17 16:55 158,720 a------- c:\windows\system32\mscorier.dll
2009-03-17 16:55 83,968 a------- c:\windows\system32\mscories.dll
2009-03-17 16:27 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-03-17 16:27 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-03-17 16:27 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-03-16 18:39 <DIR> --d----- c:\program files\readmes
2009-03-16 18:39 <DIR> --d----- c:\program files\licenses
2009-03-15 20:07 <DIR> --d----- c:\programdata\is-SQJS9
2009-03-15 20:07 <DIR> --d----- c:\progra~2\is-SQJS9
2009-03-15 19:38 17,965,088 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-15 19:38 167,276 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-15 15:07 <DIR> --d----- c:\programdata\is-UU7H8
2009-03-15 15:07 <DIR> --d----- c:\progra~2\is-UU7H8
2009-03-15 15:06 148,496 a------- c:\windows\system32\drivers\33617923.sys
2009-03-13 12:25 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-13 12:25 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-13 12:25 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-13 12:24 8,147,968 a------- c:\windows\system32\wmploc.DLL
2009-03-13 12:24 269,824 a------- c:\windows\system32\schannel.dll
2009-03-13 12:23 2,028,032 a------- c:\windows\system32\win32k.sys
2009-03-10 20:09 <DIR> --d----- c:\programdata\Skype
2009-03-10 20:08 <DIR> --d----- c:\program files\Skype
2009-03-10 20:07 <DIR> --d----- c:\program files\U.S. Robotics
2009-03-10 20:06 93 a------- c:\windows\usrwiz.ini
2009-03-10 20:05 <DIR> --d----- C:\Temp
2009-03-08 20:42 <DIR> --d----- C:\Lop SD
2009-03-08 19:48 <DIR> --d----- C:\MGADiagToolOutput
2009-03-08 19:47 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-03-07 17:32 <DIR> --d----- c:\users\s\appdata\roaming\Malwarebytes
2009-03-07 17:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-07 17:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 17:32 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-07 17:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 17:32 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-06 19:26 <DIR> --d----- c:\users\s\DoctorWeb
2009-03-06 12:44 268,800 a------- c:\windows\system32\es.dll
2009-03-06 12:43 1,194,496 a------- c:\windows\system32\msxml3.dll
2009-03-06 12:43 2,048 a------- c:\windows\system32\msxml3r.dll
2009-03-06 12:42 12,800 a------- c:\windows\system32\drivers\fs_rec.sys
2009-03-06 12:42 5,120 a------- c:\windows\system32\wmi.dll
2009-03-06 12:42 152,576 a------- c:\windows\system32\imagehlp.dll
2009-03-05 14:46 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-03-05 14:46 272,896 a------- c:\windows\system32\polstore.dll
2009-03-05 14:46 61,440 a------- c:\windows\system32\winipsec.dll
2009-03-05 14:46 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-03-05 14:44 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-03-05 14:44 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-03-05 14:44 95,232 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-03-05 14:42 205,824 a------- c:\windows\system32\msoeacct.dll
2009-03-05 14:42 87,040 a------- c:\windows\system32\msoert2.dll
2009-03-05 14:42 39,424 a------- c:\windows\system32\ACCTRES.dll
2009-03-05 14:40 194,560 a------- c:\windows\system32\WebClnt.dll
2009-03-05 14:40 110,080 a------- c:\windows\system32\drivers\mrxdav.sys
2009-03-05 14:34 49,664 a------- c:\windows\system32\csrsrv.dll
2009-03-05 14:34 376,320 a------- c:\windows\system32\winsrv.dll
2009-03-05 14:25 297,472 a------- c:\windows\system32\gdi32.dll
2009-03-05 14:24 1,060,920 a------- c:\windows\system32\drivers\ntfs.sys
2009-03-05 14:24 41,984 a------- c:\windows\system32\drivers\monitor.sys
2009-03-05 14:23 211,456 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-03-05 14:23 374,456 a------- c:\windows\system32\mcupdate_GenuineIntel.dll
2009-03-05 14:21 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-03-05 14:21 4,247,552 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-03-05 14:21 1,687,040 a------- c:\windows\system32\gameux.dll
2009-03-05 14:19 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-03-05 14:18 414,208 a------- c:\windows\system32\msscp.dll
2009-03-05 14:16 356,864 a------- c:\windows\system32\MediaMetadataHandler.dll
2009-03-05 14:15 392,192 a------- c:\windows\system32\FirewallAPI.dll
2009-03-05 14:15 396,800 a------- c:\windows\system32\MPSSVC.dll
2009-03-05 14:15 86,016 a------- c:\windows\system32\icfupgd.dll
2009-03-05 14:15 63,488 a------- c:\windows\system32\drivers\mpsdrv.sys
2009-03-05 14:15 16,896 a------- c:\windows\system32\wfapigp.dll
2009-03-05 14:15 178,688 a------- c:\windows\system32\iphlpsvc.dll
2009-03-05 14:15 61,952 a------- c:\windows\system32\cmifw.dll
2009-03-05 14:15 23,040 a------- c:\windows\system32\drivers\tunnel.sys
2009-03-05 14:15 15,360 a------- c:\windows\system32\drivers\TUNMP.SYS
2009-03-05 14:13 2,048 a------- c:\windows\system32\tzres.dll
2009-03-05 14:11 1,244,672 a------- c:\windows\system32\mcmde.dll
2009-03-05 14:11 428,032 a------- c:\windows\system32\EncDec.dll
2009-03-05 14:11 177,152 a------- c:\windows\system32\mpg2splt.ax
2009-03-05 14:11 292,352 a------- c:\windows\system32\psisdecd.dll
2009-03-05 14:11 217,088 a------- c:\windows\system32\psisrndr.ax
2009-03-05 14:11 80,896 a------- c:\windows\system32\MSNP.ax
2009-03-05 14:11 68,608 a------- c:\windows\system32\Mpeg2Data.ax
2009-03-05 14:11 57,856 a------- c:\windows\system32\MSDvbNP.ax
2009-03-05 14:06 21,560 a------- c:\windows\system32\drivers\atapi.sys
2009-03-05 14:06 109,624 a------- c:\windows\system32\drivers\ataport.sys
2009-03-05 14:06 45,112 a------- c:\windows\system32\drivers\pciidex.sys
2009-03-05 14:06 17,464 a------- c:\windows\system32\drivers\intelide.sys
2009-03-05 14:06 211,000 a------- c:\windows\system32\drivers\volsnap.sys
2009-03-05 14:06 154,624 a------- c:\windows\system32\drivers\nwifi.sys
2009-03-05 14:05 104,448 a------- c:\windows\system32\DWWIN.EXE
2009-03-05 14:05 2,923,520 a------- c:\windows\explorer.exe
2009-03-05 14:04 38,400 a------- c:\windows\system32\drivers\usbehci.sys
2009-03-05 14:04 23,040 a------- c:\windows\system32\drivers\usbuhci.sys
2009-03-05 14:04 8,704 a------- c:\windows\system32\hcrstco.dll
2009-03-05 14:04 8,704 a------- c:\windows\system32\hccoin.dll
2009-03-05 14:04 5,888 a------- c:\windows\system32\drivers\usbd.sys
2009-03-05 14:04 224,768 a------- c:\windows\system32\drivers\usbport.sys
2009-03-05 14:04 192,000 a------- c:\windows\system32\drivers\usbhub.sys
2009-03-05 14:04 73,216 a------- c:\windows\system32\drivers\usbccgp.sys
2009-03-05 14:02 216,632 a------- c:\windows\system32\drivers\netio.sys
2009-03-05 14:02 24,064 a------- c:\windows\system32\netcfg.exe
2009-03-05 14:02 803,328 a------- c:\windows\system32\drivers\tcpip.sys
2009-03-05 14:02 167,424 a------- c:\windows\system32\tcpipcfg.dll
2009-03-05 14:02 22,016 a------- c:\windows\system32\netiougc.exe
2009-03-05 14:00 3,102,720 a------- c:\windows\system32\NlsData0046.dll
2009-03-05 13:55 1,585,664 a------- c:\windows\system32\setupapi.dll
2009-03-05 13:52 82,432 a------- c:\windows\system32\drivers\sdbus.sys
2009-03-05 13:51 223,232 a------- c:\windows\system32\WMASF.DLL
2009-03-05 13:51 9,728 a------- c:\windows\system32\LAPRXY.DLL
2009-03-05 13:51 2,048 a------- c:\windows\system32\asferror.dll
2009-03-05 13:50 268,288 a------- c:\windows\system32\mcbuilder.exe
2009-03-05 13:50 223,232 a------- c:\windows\system32\SLC.dll
2009-03-05 13:50 33,280 a------- c:\windows\system32\slwmi.dll
2009-03-05 13:50 566,784 a------- c:\windows\system32\SLCommDlg.dll
2009-03-05 13:50 351,232 a------- c:\windows\system32\SLUI.exe
2009-03-05 13:50 186,368 a------- c:\windows\system32\SLLUA.exe
2009-03-05 13:50 57,856 a------- c:\windows\system32\SLUINotify.dll
2009-03-05 13:50 2,605,568 a------- c:\windows\system32\SLsvc.exe
2009-03-05 13:50 39,936 a------- c:\windows\system32\slcinst.dll
2009-03-05 13:49 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-03-05 13:49 712,192 a------- c:\windows\system32\WindowsCodecs.dll
2009-03-05 13:49 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-03-05 13:46 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-03-05 13:46 14,848 a------- c:\windows\system32\wshrm.dll
2009-03-05 13:45 11,776 a------- c:\windows\system32\sbunattend.exe
2009-03-05 13:44 290,304 a------- c:\windows\system32\drivers\srv.sys
2009-03-05 13:44 83,968 a------- c:\windows\system32\dnsrslvr.dll
2009-03-05 13:44 24,576 a------- c:\windows\system32\dnscacheugc.exe
2009-03-05 13:44 53,760 a------- c:\windows\system32\drivers\hdaudbus.sys
2009-03-05 13:43 2,855,424 a------- c:\windows\system32\mf.dll
2009-03-05 13:43 98,816 a------- c:\windows\system32\mfps.dll
2009-03-05 13:43 52,736 a------- c:\windows\system32\rrinstaller.exe
2009-03-05 13:43 24,576 a------- c:\windows\system32\mfpmp.exe
2009-03-05 13:43 2,048 a------- c:\windows\system32\mferror.dll
2009-03-05 13:43 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-03-05 13:43 94,720 a------- c:\windows\system32\logagent.exe
2009-03-05 13:43 130,048 a------- c:\windows\system32\drivers\srv2.sys
2009-03-05 13:43 101,888 a------- c:\windows\system32\drivers\mrxsmb.sys
2009-03-05 13:43 84,992 a------- c:\windows\system32\drivers\srvnet.sys
2009-03-05 13:43 58,368 a------- c:\windows\system32\drivers\mrxsmb20.sys
2009-03-05 13:42 788,992 a------- c:\windows\system32\rpcrt4.dll
2009-03-05 13:42 737,792 a------- c:\windows\system32\inetcomm.dll
2009-03-05 13:42 84,480 a------- c:\windows\system32\INETRES.dll
2009-03-05 13:41 1,645,568 a------- c:\windows\system32\connect.dll
2009-03-05 13:41 1,327,104 a------- c:\windows\system32\quartz.dll
2009-03-05 13:40 974,336 a------- c:\windows\system32\crypt32.dll
2009-03-05 13:40 3,505,208 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-05 13:40 3,470,904 a------- c:\windows\system32\ntoskrnl.exe
2009-03-05 13:39 633,856 a------- c:\windows\system32\user32.dll
2009-03-05 13:39 1,341,440 a------- c:\windows\system32\msxml6.dll
2009-03-05 13:39 2,048 a------- c:\windows\system32\msxml6r.dll
2009-03-05 13:37 750,080 a------- c:\windows\system32\qmgr.dll
2009-03-05 00:15 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 20:43 <DIR> --d----- c:\program files\AVG
2009-03-04 20:41 <DIR> --dsh--- c:\windows\Installer
2009-03-04 20:26 <DIR> --d----- c:\programdata\Geek Squad
2009-03-04 20:26 <DIR> --d----- c:\progra~2\Geek Squad
2009-03-04 20:16 5,120 a------- c:\windows\DellBIOS.Sys
2009-03-04 20:09 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-03-04 20:08 83,456 a------- c:\windows\system32\wudriver.dll
2009-03-04 20:08 162,064 a------- c:\windows\system32\wuwebv.dll
2009-03-04 20:08 31,232 a------- c:\windows\system32\wuapp.exe
2009-03-04 20:05 90,112 a------- c:\windows\system32\snymsico.dll
2009-03-04 20:05 43,520 a------- c:\windows\system32\drivers\rimsptsk.sys
2009-03-04 20:05 37,376 a------- c:\windows\system32\drivers\rixdptsk.sys
2009-03-04 20:05 32,256 a------- c:\windows\system32\drivers\rimmptsk.sys
2009-03-04 20:05 16,480 a------- c:\windows\system32\rixdicon.dll
2009-03-04 20:03 <DIR> --d----- C:\dell
2009-03-04 19:59 <DIR> --d----- c:\users\s\appdata\roaming\Webroot
2009-03-04 16:13 161,792 a------- c:\windows\SWREG.exe
2009-03-04 16:13 98,816 a------- c:\windows\sed.exe
2009-03-02 20:44 122,880 a------- c:\windows\system32\ikeysxfr.exe
2009-03-02 20:44 40,960 a------- c:\windows\system32\IKEYSXFR16.EXE
2009-03-02 20:43 73,728 a------- c:\windows\system32\ikusbco.dll
2009-03-02 20:43 73,728 a------- c:\windows\system32\drivers\ikusbco.dll
2009-03-02 20:43 20,280 a------- c:\windows\system32\drivers\ikfirm.sys
2009-03-02 20:43 73,728 a------- c:\windows\system32\ikusb.cpl
2009-03-02 20:43 <DIR> --d----- C:\ITOOLS
2009-03-02 20:43 <DIR> --d----- c:\windows\IntelliTools
2009-03-02 20:43 154 a------- c:\windows\ITOOLS_X.INI
2009-03-02 20:42 <DIR> --d----- c:\users\s\IntelliKeys USB Win 3.1 Installer
2009-03-02 01:48 <DIR> --d----- c:\users\s
2009-03-02 01:36 <DIR> --d----- c:\windows\Panther
2009-03-02 01:36 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-03-02 01:36 438,840 a--shr-- C:\bootmgr
2009-03-02 01:36 <DIR> --dsh--- C:\Boot
2009-03-02 01:35 36 a---hr-- c:\windows\DELL_VERSION
2009-03-02 01:35 <DIR> --d----- c:\windows\system32\OEM
2009-03-02 00:23 <DIR> --d----- C:\Downloads

==================== Find3M ====================

2009-03-18 18:33 86,016 a------- c:\windows\inf\infstor.dat
2009-03-18 18:33 51,200 a------- c:\windows\inf\infpub.dat
2009-03-18 18:33 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-05 17:02 174 a--sh--- c:\program files\desktop.ini
2009-03-05 15:13 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-05 14:41 704,000 a------- c:\windows\system32\PhotoScreensaver.scr
2009-03-05 14:41 24,064 a------- c:\windows\system32\wtsapi32.dll
2009-03-05 14:41 20,920 a------- c:\windows\system32\drivers\compbatt.sys
2009-03-05 14:41 258,232 a------- c:\windows\system32\drivers\acpi.sys
2009-03-05 14:41 14,208 a------- c:\windows\system32\drivers\CmBatt.sys
2009-03-05 14:41 11,264 a------- c:\windows\system32\drivers\wmiacpi.sys
2009-03-05 14:41 28,344 a------- c:\windows\system32\drivers\battc.sys
2009-03-05 14:41 542,720 a------- c:\windows\system32\sysmain.dll
2009-03-05 14:41 47,104 a------- c:\windows\system32\wlanapi.dll
2009-03-05 14:41 502,784 a------- c:\windows\system32\wlansvc.dll
2009-03-05 14:41 297,984 a------- c:\windows\system32\wlansec.dll
2009-03-05 14:41 290,816 a------- c:\windows\system32\wlanmsm.dll
2009-03-05 14:41 67,584 a------- c:\windows\system32\wlanhlp.dll
2009-03-05 14:37 826,368 a------- c:\windows\system32\wininet.dll
2009-03-05 14:37 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-03-05 14:37 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-05 14:37 56,320 a------- c:\windows\system32\iesetup.dll
2009-03-05 14:21 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-03-05 14:21 2,144,256 a------- c:\windows\apppatch\AcGenral.dll
2009-03-05 14:21 537,600 a------- c:\windows\apppatch\AcLayers.dll
2009-03-05 14:21 449,536 a------- c:\windows\apppatch\AcSpecfc.dll
2009-03-05 14:21 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-03-05 14:00 3,102,720 a------- c:\windows\system32\NlsData0045.dll
2009-03-05 13:54 371,712 a------- c:\windows\system32\srcore.dll
2009-03-05 13:47 220,160 a------- c:\windows\system32\ntprint.dll
2009-01-21 11:21 128,611,035 a------- c:\program files\openofficeorg1.cab
2009-01-21 11:14 336 a------- c:\program files\setup.ini
2009-01-21 11:14 9,780,224 a------- c:\program files\openofficeorg30.msi
2008-12-17 05:17 426,776 a------- c:\program files\setup.exe
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2002-03-11 04:06 1,822,520 a------- c:\program files\instmsiw.exe
2002-03-11 03:45 1,708,856 a------- c:\program files\instmsia.exe
2006-11-22 09:57 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:54:29.90 ===============

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 26 March 2009 - 03:58 PM

Hello.

A format would have removed any infections.

Please tell me what issues are present at the moment.

With Regards,
The Panda

#6 iamabe411

iamabe411
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 26 March 2009 - 04:37 PM

I have to come up with a list of symtoms, but while you're here, I'll list symptoms that come to mind.

Don't you think it is weird that generic.dx was detected when otscanit was downloaded? I downloaded it last night to see if the scan would detect anything.

When I did an online scan last night with onecare, asian characters were present in numerous file names; I think they were Thai, but I do not speak Thai. Also, after some files, PEcompact2 2.5 was in parentheses.

My computer would not let me boot from the Kasperky and Dr. Web CDs I burned.

Acess is denied to "Documents and Settings" folder in by C: Drive.

Mcafee QuickClean cannot delete registry keys it finds that the scan says can be removed.

Download.com's layout looks different and has many adds that do not look like they are from their distributors.

I am pretty sure that these keypaths indicate programs that run upon startup:

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name : SunJavaUpdateSched
Type : REG_SZ
Data : "C:\Program Files\Java\jre6\bin\jusched.exe"
Key Modified Time : 3/18/2009 10:48:38 PM
Data Length : 45
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name : Adobe Reader Speed Launcher
Type : REG_SZ
Data : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Key Modified Time : 3/18/2009 10:48:38 PM
Data Length : 57
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name : mcagent_exe
Type : REG_SZ
Data : C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
Key Modified Time : 3/18/2009 10:48:38 PM
Data Length : 54
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
Name :
Type : REG_SZ
Data :
Key Modified Time : 3/17/2009 9:32:37 PM
Data Length : 1
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Name : Installed
Type : REG_SZ
Data : 1
Key Modified Time : 3/17/2009 9:32:37 PM
Data Length : 2
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Name :
Type : REG_SZ
Data :
Key Modified Time : 3/17/2009 9:32:37 PM
Data Length : 1
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Name : NoChange
Type : REG_SZ
Data : 1
Key Modified Time : 3/17/2009 9:32:37 PM
Data Length : 2
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Name : Installed
Type : REG_SZ
Data : 1
Key Modified Time : 3/17/2009 9:32:37 PM
Data Length : 2
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Name :
Type : REG_SZ
Data :
Key Modified Time : 3/17/2009 9:32:37 PM
Data Length : 1
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Name : Installed
Type : REG_SZ
Data : 1
Key Modified Time : 3/17/2009 9:32:37 PM
Data Length : 2
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Name :
Type : REG_SZ
Data :
Key Modified Time : 3/17/2009 9:32:37 PM
Data Length : 1
==================================================

And I did not even know that Microsoft Flight stimulator was until I looked it up.

Some dll's have vidc componets in them. This was revealed by Regscanner.

Winspywareprotect was detected by my comcast spyware scan. I am not sure if the spyware came back under a restore file.

Does my DDS log reveal anything?

I apologize if I am a computer hypochondriac.

Thanks for looking at my symptoms!

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 26 March 2009 - 06:46 PM

Hello.

The DDS scan log is clean.

Please be more specific. Which files were detected in scans and which registry keys.

My computer would not let me boot from the Kasperky and Dr. Web CDs I burned.

Malware cannot affect bootable disks. The problem is likely your BIOS boot sequence.

Acess is denied to "Documents and Settings" folder in by C: Drive.

I am too :thumbup2: .

Download.com's layout looks different and has many adds that do not look like they are from their distributors.

Please give me links the pages in question.

With Regards,
The Panda

Edited by PropagandaPanda, 26 March 2009 - 06:46 PM.


#8 iamabe411

iamabe411
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 26 March 2009 - 07:35 PM

I thought mebroot affected the bootsector.

Here is the download.com link:
download.cnet.com/3001-2239_4-10320142.html?spi=e10c72372953608c97fb280f19a8a684

Before, this different looking download.com had an ad for somehow obtaining the free version of avg by having users enter their email and filling out three surveys. I do not think that download.com would have such an ad that is set up to scam. I am also used to having there be a box with a link to the vendor's site. This download.com looked different even before I added noscript.

I'll add a screenshot to show the site - in case the site looks different for you.

I'll include a scan for the vidc componets below. Regscan did not detect them. I first notice one vidc componet when I searced for something. I googled it, found out it was uncommon, then saw it could indicate a virus. I then told regscan to search for the rest of these files.

I also have desktop.ini files everywhere - including 2 on my desktop.

I apologize for the stupid questions - like the one about the "Documents and Settings" folder. :D I laugh at myself

Thanks!

==================================================
Registry Key : HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.mrle
Type : REG_SZ
Data : msrle32.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 12
==================================================

==================================================
Registry Key : HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.msvc
Type : REG_SZ
Data : msvidc32.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 13
==================================================

==================================================
Registry Key : HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.uyvy
Type : REG_SZ
Data : msyuv.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 10
==================================================

==================================================
Registry Key : HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.yuy2
Type : REG_SZ
Data : msyuv.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 10
==================================================

==================================================
Registry Key : HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.yvyu
Type : REG_SZ
Data : msyuv.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 10
==================================================

==================================================
Registry Key : HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.iyuv
Type : REG_SZ
Data : iyuv_32.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 12
==================================================

==================================================
Registry Key : HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.i420
Type : REG_SZ
Data : iyuv_32.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 12
==================================================

==================================================
Registry Key : HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.yvu9
Type : REG_SZ
Data : tsbyuv.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 11
==================================================

==================================================
Registry Key : HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.cvid
Type : REG_SZ
Data : iccvid.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 11
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.mrle
Type : REG_SZ
Data : msrle32.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 12
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.msvc
Type : REG_SZ
Data : msvidc32.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 13
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.uyvy
Type : REG_SZ
Data : msyuv.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 10
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.yuy2
Type : REG_SZ
Data : msyuv.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 10
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.yvyu
Type : REG_SZ
Data : msyuv.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 10
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.iyuv
Type : REG_SZ
Data : iyuv_32.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 12
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.i420
Type : REG_SZ
Data : iyuv_32.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 12
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.yvu9
Type : REG_SZ
Data : tsbyuv.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 11
==================================================

==================================================
Registry Key : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Name : vidc.cvid
Type : REG_SZ
Data : iccvid.dll
Key Modified Time : 3/10/2009 8:03:45 PM
Data Length : 11
==================================================

Attached Files

  • Attached File  dw.png   329.14KB   7 downloads


#9 iamabe411

iamabe411
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 26 March 2009 - 07:43 PM

I should also add that I downloaded regscanner because regedit won't let me search - even for the word "run." I was not going to change anything in there - I was just looking for keys in case HJT missed any startup keys.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 27 March 2009 - 07:25 AM

Hello.

The Download.net page looks the same here.

I'll include a scan for the vidc componets below. Regscan did not detect them. I first notice one vidc componet when I searced for something. I googled it, found out it was uncommon, then saw it could indicate a virus. I then told regscan to search for the rest of these files.

There does not appear to be an issue.

Please tell me where you saw it labelled as an infection.

I also have desktop.ini files everywhere - including 2 on my desktop.

Me too :thumbup2: . You can hide the hidden and system files.
  • Double click the My Computer icon.
  • In the explorer window that pops-up, select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Remove the checkmark from the the checkbox labeled Display the Contents of System Folders.
  • Put a checkmark in the checkbox labeled Hide File Extensions for Known File Types, if it is not already unchecked.
  • Put a checkmark in the checkbox labeled Hide Protected Operating System Files, if it is not already unchecked.
  • Click the Apply button and then the OK button.
  • Close all the windows.
With Regards,
The Panda

#11 iamabe411

iamabe411
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 27 March 2009 - 04:03 PM

Thanks for the info!

I tested the catchme exe that came with OTScanIt to check if it was a false positive or not . Six scanners detected it as a virus on virustotal.com. And I downloaded it from this site. Here is the link:

https://www.virustotal.com/analisis/1e18fcb...d646dbd00c5dc64

These files are also in my System32 folder:
7B296FB0-376B-497e-B012-9C450E1B7327-2P-0
7B296FB0-376B-497e-B012-9C450E1B7327-2P-1
12520437.cpx
12520850.cpx

I read that one of the first two indicates that Windows Updater was dsabled

Do you think we can do anything about this?

Thanks!

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 27 March 2009 - 07:00 PM

Hello.

Catchme.exe that is included in OTScanIt is a rootkit detector. It is not malicious.

I don't think Windows Updates, if that is what you were refering to is, is related. Let's text that out.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.
  • Click the Start Menu (or Windows Orb), then All Programs, then Windows Update.
  • On the left, choose Change Settings
  • Ensure that the checkbox Use Microsoft Update at the bottom of the window is checked.
  • Press OK and accept the UAC prompt. You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click Check for Updates in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install.
Tell me how it goes.

With Regards,
The Panda

#13 iamabe411

iamabe411
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 27 March 2009 - 09:58 PM

I am including a thumbnail of what came up when I looked at Windows Updates settings. I did not see the "Use Microsoft update" checkbox. When I clicked ok, the UAC did not pop up. Additionally, I do not see any updates installed under my HJT uninstall list. They are on my list downstairs.

Can you look if the logfile from another computer I have indicates anything wrong?

Thanks



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:55 PM, on 3/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\ITOOLS\INTELL~1\private\ikusbsvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
D:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
C:\WINDOWS\system32\WDBtnMgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\D-Link\D-Link USB Phone Adapter\DPH-50U Utility.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\ITOOLS\IntelliKeys USB\private\iksystray.exe
C:\Program Files\Sony\giga pocket\ReserveModule.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\PROGRA~1\LINKSY~1\LinksysAdvisor.exe
C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\3sq9eflo.slt\prefs.js)
O1 - Hosts: 206.69.163.52 cccjbar.colum.edu
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [iRiver Updater] "d:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [uxnkoaus] C:\WINDOWS\System32\ebaiqlvv.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [VAIO Recovery] "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [TLinkAgent] C:\Program Files\D-Link\D-Link USB Phone Adapter\DPH-50U Utility.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: iksystray.lnk = C:\ITOOLS\IntelliKeys USB\private\iksystray.exe
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,19/mcgdmgr.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newaol.com/bkpromo/downloa...formerSetup.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\sony\giga pocket\shwserv.exe
O23 - Service: IntelliKeys USB Service - IntelliTools, Inc. - C:\ITOOLS\INTELL~1\private\ikusbsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14118 bytes

#14 iamabe411

iamabe411
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 27 March 2009 - 10:00 PM

I accidentally hit the "submit" button before I hit upload. :D

Attached Files



#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 28 March 2009 - 09:25 AM

Hello.

The HijackThis log you just posted is infected.

Please start another topic for different computers.

The screen you attached is the automatic updates. It looks functional.

Does the computer look for updates at that time?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users