Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GOOGLE RE-DIRECT VIRUS C:\WINDOWS\SYSTEM32\GXVXCCOUNTER


  • This topic is locked This topic is locked
10 replies to this topic

#1 johnnyblaze1981

johnnyblaze1981

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 24 April 2009 - 02:28 AM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jenn at 1:07:38.87 on Fri 04/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1440 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Documents and Settings\Jenn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Jenn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jenn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jenn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jenn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
uRun: [Google Update] "c:\documents and settings\jenn\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.171,85.255.112.109
TCP: {75E56D5C-03FD-40B1-9E51-1BD1B28EEBC1} = 85.255.112.171,85.255.112.109
TCP: {9B4A6C8C-F36B-4ECF-955C-04464CD00E22} = 85.255.112.171,85.255.112.109
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-7 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-7 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-7 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-7 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-7 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-7 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-7 40552]
S3 0e7D;0e7D;c:\windows\system32\0e7D.sys [2009-4-23 54624]
S3 719A9;719A9;c:\windows\system32\719A9.sys [2009-4-23 54624]
S3 72616;72616;c:\windows\system32\72616.sys [2009-4-23 54624]
S3 c231E;c231E;c:\windows\system32\c231E.sys [2009-4-23 54624]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-7 34216]

=============== Created Last 30 ================

2009-04-24 00:37 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-24 00:37 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 00:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-24 00:05 <DIR> --d----- c:\docume~1\jenn\applic~1\Malwarebytes
2009-04-24 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-24 00:03 <DIR> --d-h--- c:\windows\PIF
2009-04-23 23:27 54,624 a------- c:\windows\system32\72616.sys
2009-04-23 23:27 2,335,270 a------- c:\windows\system32\c3015.mht
2009-04-23 22:05 54,624 a------- c:\windows\system32\0e7D.sys
2009-04-23 22:05 2,335,270 a------- c:\windows\system32\e51C.mht
2009-04-23 21:58 54,624 a------- c:\windows\system32\c231E.sys
2009-04-23 21:56 2,335,270 a------- c:\windows\system32\343E.mht
2009-04-23 21:26 54,624 a------- c:\windows\system32\719A9.sys
2009-04-23 21:26 2,335,270 a------- c:\windows\system32\c71A8.mht
2009-04-23 00:34 32,768 a------- c:\windows\system32\drivers\gxvxcpkhbqltepxgiorgoxubqtvvmwrqhcxdy.sys.REN
2009-04-22 16:48 14,336 a------- c:\windows\system32\gxvxcppqlxypyvyxmjovmlchiuixvqogggwyr.dll.REN
2009-04-22 16:48 4 a------- c:\windows\system32\gxvxccounter.REN
2009-04-22 16:48 32,768 a------- c:\windows\system32\drivers\gxvxcmteyhltodotmrtlqtjlhmnkcbbglkbqb.sys.REN
2009-04-22 16:48 0 a------- c:\windows\system32\budda
2009-04-22 16:14 <DIR> --d----- c:\program files\Avery
2009-04-19 19:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\2DBoy
2009-04-19 19:02 <DIR> --d----- c:\program files\WorldOfGoo
2009-04-18 20:49 <DIR> --d----- c:\docume~1\jenn\applic~1\Hoyle
2009-04-18 20:39 3,786,760 a------- c:\windows\system32\D3DX9_37.dll
2009-04-18 20:07 16 a------- c:\windows\popcinfot.dat
2009-04-18 17:46 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-04-18 17:46 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-04-18 12:04 <DIR> --d----- c:\program files\Hasbro
2009-04-16 19:19 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-16 19:19 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-16 19:19 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-16 19:19 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 19:19 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-16 19:19 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 19:19 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 19:19 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 19:19 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-16 19:18 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 19:18 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 19:18 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-16 15:20 <DIR> --d----- c:\program files\OLYMPUS
2009-04-07 12:51 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-04-07 12:51 21,504 a------- c:\windows\system32\hidserv.dll
2009-04-07 12:51 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-04-07 12:51 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-04-07 12:51 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-04-07 12:51 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-04-05 21:32 <DIR> --d----- c:\docume~1\jenn\applic~1\AVS4YOU
2009-04-05 21:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-04-05 21:30 <DIR> --d----- c:\program files\common files\AVSMedia
2009-04-05 21:29 24,576 a------- c:\windows\system32\msxml3a.dll
2009-04-05 14:56 <DIR> --d----- c:\docume~1\jenn\applic~1\Hoyle FaceCreator
2009-04-05 14:56 <DIR> --d----- c:\docume~1\jenn\applic~1\Hoyle Puzzle and Board Games
2009-04-05 14:54 <DIR> --d----- c:\program files\Encore
2009-03-27 12:17 0 a---h--- c:\windows\SwSys2.bmp
2009-03-27 12:17 0 a---h--- c:\windows\SwSys1.bmp
2009-03-25 14:52 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-04-22 17:56 27,240 a------- c:\windows\system32\nvModes.dat
2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-11 20:59 112,384 a------- c:\windows\hpoins07.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-07 21:07 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-07 20:34 5 a------- c:\windows\system32\drivers\DELL_XPS_Vostro 1400 .MRK
2009-03-07 20:34 5 a------- c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1400 .MRK
2009-03-07 20:29 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-07 20:29 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-03-07 19:46 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-06 08:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 18:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 12:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 06:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 06:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 05:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 05:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 04:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 04:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 13:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 1:08:36.14 ===============

BC AdBot (Login to Remove)

 


#2 johnnyblaze1981

johnnyblaze1981
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 24 April 2009 - 02:45 AM

Google redirects me quite abit as well as laptop freezes on occasion. I have McAfee and also ran Mcafee Rootkit Detective and it detects the GXVXCCOUNTER files and says it deletes them but upon restart and rescan, they reappear and sometimes more hidden registries with same filename included. i have seen the advice given here and could really use a helping hand. I am working on my masters degree and work mainly on this cpu. I have backed up all files and just hoping for some help removing this bad bad rootkit crap. Thanks

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:42 PM

Posted 24 April 2009 - 04:28 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 johnnyblaze1981

johnnyblaze1981
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 24 April 2009 - 05:51 PM

Hello Sam, and let me start by saying thank-you so much for getting back to me. This is some problem i tell you. I appreciate your expertise and your time on this matter. Here is the combo fix log. I hope it gives this problem some direction. Thanx again

ComboFix 09-04-25.03 - Jenn 04/24/2009 16:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1530 [GMT -6:00]
Running from: c:\documents and settings\Jenn\Desktop\ComboFix2.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gxvxcppqlxypyvyxmjovmlchiuixvqogggwyr.dll.REN

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-24 21:39 . 2009-04-24 21:39 -------- d-----w c:\documents and settings\Jenn\Application Data\McAfee
2009-04-24 20:28 . 2009-04-24 20:28 54624 ----a-w c:\windows\system32\a492F.sys
2009-04-24 20:28 . 2009-04-24 20:28 2335270 ----a-w c:\windows\system32\0c82E.mht
2009-04-24 19:25 . 2009-04-24 19:25 54624 ----a-w c:\windows\system32\b2a28.sys
2009-04-24 19:19 . 2009-04-24 19:19 2335270 ----a-w c:\windows\system32\59817.mht
2009-04-24 06:37 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 06:37 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 06:05 . 2009-04-24 06:05 -------- d-----w c:\documents and settings\Jenn\Application Data\Malwarebytes
2009-04-24 06:05 . 2009-04-24 06:05 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 06:03 . 2009-04-24 06:03 -------- d--h--w c:\windows\PIF
2009-04-24 05:27 . 2009-04-24 05:27 54624 ----a-w c:\windows\system32\72616.sys
2009-04-24 05:27 . 2009-04-24 05:27 2335270 ----a-w c:\windows\system32\c3015.mht
2009-04-24 04:05 . 2009-04-24 04:05 54624 ----a-w c:\windows\system32\0e7D.sys
2009-04-24 04:05 . 2009-04-24 04:05 2335270 ----a-w c:\windows\system32\e51C.mht
2009-04-24 03:58 . 2009-04-24 03:58 54624 ----a-w c:\windows\system32\c231E.sys
2009-04-24 03:56 . 2009-04-24 03:56 2335270 ----a-w c:\windows\system32\343E.mht
2009-04-24 03:26 . 2009-04-24 03:26 54624 ----a-w c:\windows\system32\719A9.sys
2009-04-24 03:26 . 2009-04-24 03:26 2335270 ----a-w c:\windows\system32\c71A8.mht
2009-04-23 06:34 . 2009-04-23 06:34 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-23 06:34 . 2009-04-23 06:34 32768 ----a-w c:\windows\system32\drivers\gxvxcpkhbqltepxgiorgoxubqtvvmwrqhcxdy.sys.REN
2009-04-22 22:48 . 2009-04-24 01:59 4 ----a-w c:\windows\system32\gxvxccounter.REN
2009-04-22 22:48 . 2009-04-22 22:48 32768 ----a-w c:\windows\system32\drivers\gxvxcmteyhltodotmrtlqtjlhmnkcbbglkbqb.sys.REN
2009-04-22 22:48 . 2009-04-22 22:48 0 ----a-w c:\windows\system32\budda
2009-04-20 01:03 . 2009-04-20 01:03 -------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2009-04-19 02:49 . 2009-04-22 23:56 -------- d-----w c:\documents and settings\Jenn\Application Data\Hoyle
2009-04-19 02:39 . 2008-03-05 21:56 3786760 ----a-w c:\windows\system32\D3DX9_37.dll
2009-04-19 02:07 . 2009-04-21 21:49 16 ----a-w c:\windows\popcinfot.dat
2009-04-18 23:46 . 2001-08-17 19:48 12160 -c--a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-18 23:46 . 2001-08-17 19:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-17 01:19 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 01:19 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 01:19 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 01:19 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 01:19 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 01:19 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 01:19 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 01:19 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 01:19 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 01:18 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 01:18 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 01:18 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 16:06 . 2009-04-11 16:06 -------- d-----w c:\windows\Sun
2009-04-07 18:51 . 2008-04-14 00:11 21504 -c--a-w c:\windows\system32\dllcache\hidserv.dll
2009-04-07 18:51 . 2008-04-14 00:11 21504 ----a-w c:\windows\system32\hidserv.dll
2009-04-07 18:51 . 2008-04-13 18:45 10368 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-04-07 18:51 . 2008-04-13 18:45 10368 ----a-w c:\windows\system32\drivers\hidusb.sys
2009-04-07 18:51 . 2008-04-13 18:45 60032 -c--a-w c:\windows\system32\dllcache\usbaudio.sys
2009-04-07 18:51 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\drivers\USBAUDIO.sys
2009-04-06 03:32 . 2009-04-06 03:32 -------- d-----w c:\documents and settings\Jenn\Application Data\AVS4YOU
2009-04-06 03:32 . 2009-04-06 03:32 -------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-06 03:29 . 2007-02-28 00:36 24576 ----a-w c:\windows\system32\msxml3a.dll
2009-04-05 20:56 . 2009-04-19 05:31 -------- d-----w c:\documents and settings\Jenn\Application Data\Hoyle FaceCreator
2009-04-05 20:56 . 2009-04-18 05:51 -------- d-----w c:\documents and settings\Jenn\Application Data\Hoyle Puzzle and Board Games
2009-03-27 18:17 . 2009-03-27 18:17 0 ---ha-w c:\windows\SwSys2.bmp
2009-03-27 18:17 . 2009-03-27 18:17 0 ---ha-w c:\windows\SwSys1.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 21:40 . 2009-03-08 04:30 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-24 06:37 . 2009-04-24 06:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-24 01:27 . 2009-04-06 03:30 -------- d-----w c:\program files\Common Files\AVSMedia
2009-04-24 01:26 . 2009-03-08 05:49 -------- d-----w c:\documents and settings\Jenn\Application Data\uTorrent
2009-04-22 23:56 . 2009-03-08 02:10 27240 ----a-w c:\windows\system32\nvModes.dat
2009-04-22 22:17 . 2009-03-08 04:27 76576 ----a-w c:\documents and settings\Jenn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-22 22:14 . 2009-04-22 22:14 -------- d-----w c:\program files\Avery
2009-04-20 01:03 . 2009-04-20 01:02 -------- d-----w c:\program files\WorldOfGoo
2009-04-19 02:35 . 2009-04-05 20:54 -------- d-----w c:\program files\Encore
2009-04-18 18:04 . 2009-04-18 18:04 -------- d-----w c:\program files\Hasbro
2009-04-18 14:39 . 2009-03-08 05:47 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-17 03:44 . 2009-03-08 05:44 -------- d-----w c:\program files\McAfee
2009-04-16 21:20 . 2009-04-16 21:20 -------- d-----w c:\program files\OLYMPUS
2009-04-16 21:20 . 2009-03-08 02:06 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-01 02:06 . 2009-03-08 02:32 -------- d-----w c:\program files\Java
2009-03-25 17:06 . 2009-03-08 05:44 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 17:06 . 2009-03-08 05:44 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 17:06 . 2009-03-08 05:44 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-03-25 17:06 . 2009-01-09 18:03 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-25 17:05 . 2009-03-08 05:39 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-03-24 20:19 . 2009-03-24 20:19 -------- d-----w c:\program files\MSBuild
2009-03-24 20:19 . 2009-03-24 20:19 -------- d-----w c:\program files\Reference Assemblies
2009-03-20 15:15 . 2009-03-08 05:58 -------- d-----w c:\program files\Common Files\Adobe
2009-03-18 18:35 . 2009-03-18 18:35 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-13 22:16 . 2009-03-13 22:16 -------- d-----w c:\program files\TheWeatherNetwork
2009-03-12 21:05 . 2009-03-12 21:05 -------- d-----w c:\program files\MSXML 4.0
2009-03-12 17:29 . 2009-03-12 17:29 -------- d-----w c:\program files\AC3Filter
2009-03-12 17:27 . 2009-03-12 17:27 -------- d-----w c:\program files\Xvid
2009-03-12 03:03 . 2009-03-12 03:03 127 ----a-w c:\documents and settings\Jenn\Local Settings\Application Data\fusioncache.dat
2009-03-12 02:59 . 2009-03-12 02:41 112384 ----a-w c:\windows\hpoins07.dat
2009-03-12 02:55 . 2009-03-12 02:55 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-12 02:53 . 2009-03-12 02:53 -------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-03-12 02:53 . 2009-03-12 02:53 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-12 02:53 . 2009-03-12 02:52 -------- d-----w c:\program files\Common Files\HP
2009-03-12 02:50 . 2009-03-12 02:50 -------- d-----w c:\program files\Hewlett-Packard
2009-03-12 02:50 . 2009-03-11 17:53 -------- d-----w c:\program files\HP
2009-03-12 02:48 . 2009-03-12 02:48 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-11 17:50 . 2009-03-11 17:50 -------- d-----w c:\documents and settings\Jenn\Application Data\HP
2009-03-10 01:18 . 2009-03-10 01:18 -------- d-----w c:\program files\WordWeb
2009-03-09 11:19 . 2009-03-08 03:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-09 02:21 . 2009-03-08 18:58 -------- d-----w c:\program files\PopCap Games
2009-03-08 23:38 . 2009-03-08 23:38 -------- d-----w c:\documents and settings\Jenn\Application Data\Atari
2009-03-08 23:15 . 2009-03-08 23:15 -------- d-----w c:\documents and settings\Jenn\Application Data\Leadertech
2009-03-08 23:15 . 2009-03-08 23:15 -------- d-----w c:\program files\Common Files\PocketSoft
2009-03-08 23:12 . 2009-03-08 23:12 -------- d-----w c:\program files\Atari
2009-03-08 22:16 . 2009-03-08 22:16 -------- d-----w c:\program files\WinISO
2009-03-08 06:39 . 2009-03-08 05:54 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-08 06:39 . 2009-03-08 05:54 -------- d-----w c:\program files\NOS
2009-03-08 05:59 . 2009-03-08 05:59 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-08 05:49 . 2009-03-08 05:49 -------- d-----w c:\program files\uTorrent
2009-03-08 05:46 . 2009-03-08 05:46 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-03-08 05:44 . 2009-03-08 05:44 -------- d-----w c:\program files\Common Files\McAfee
2009-03-08 05:44 . 2009-03-08 05:44 -------- d-----w c:\program files\McAfee.com
2009-03-08 05:04 . 2009-03-08 05:04 -------- d-----w c:\program files\GPLGS
2009-03-08 05:03 . 2009-03-08 05:03 -------- d-----w c:\program files\Acro Software
2009-03-08 04:27 . 2009-03-08 04:27 -------- d-----w c:\program files\Dell DataSafe Online
2009-03-08 03:52 . 2009-03-08 03:52 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-08 03:50 . 2009-03-08 03:50 -------- d-----w c:\program files\Common Files\Sony Shared
2009-03-08 03:40 . 2009-03-08 03:40 -------- d-----w c:\program files\Common Files\L&H
2009-03-08 03:40 . 2009-03-08 03:40 -------- d-----w c:\program files\Microsoft.NET
2009-03-08 03:40 . 2009-03-08 03:40 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-08 03:39 . 2009-03-08 03:39 -------- d-----w c:\program files\Microsoft Works
2009-03-08 03:26 . 2009-03-08 03:25 -------- d-----w c:\program files\Creative
2009-03-08 03:26 . 2009-03-08 03:26 -------- d-----w c:\program files\Common Files\Reallusion
2009-03-08 03:26 . 2009-03-08 03:25 -------- d-----w c:\program files\Creative Live! Cam
2009-03-08 03:25 . 2009-03-08 01:57 -------- d-----w c:\program files\Dell
2009-03-08 03:07 . 2009-03-08 01:48 77423 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-08 03:02 . 2004-08-04 10:00 250048 --sha-r C:\ntldr
2009-03-08 02:34 . 2009-03-08 02:34 5 ----a-w c:\windows\system32\drivers\DELL_XPS_Vostro 1400 .MRK
2009-03-08 02:34 . 2009-03-08 02:34 5 ----a-w c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1400 .MRK
2009-03-08 02:32 . 2009-03-08 02:32 -------- d-----w c:\program files\Common Files\Java
2009-03-08 02:29 . 2009-03-08 02:29 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-08 02:29 . 2009-03-08 02:29 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2009-03-08 02:29 . 2009-03-08 02:29 -------- d-----w c:\program files\DellTPad
2009-03-08 02:26 . 2009-03-08 02:26 -------- d-----w c:\program files\CONEXANT
2009-03-08 02:25 . 2009-03-08 02:25 -------- d-----w c:\program files\Modem Diagnostic Tool
2009-03-08 02:23 . 2009-03-08 02:23 -------- d-----w c:\program files\Digital Line Detect
2009-03-08 02:22 . 2009-03-08 02:22 -------- d-----w c:\program files\SigmaTel
2009-03-08 02:20 . 2009-03-08 02:18 -------- d-----w c:\program files\Dell Support Center
2009-03-08 02:18 . 2009-03-08 02:18 -------- d-----w c:\program files\Common Files\supportsoft
2009-03-08 02:18 . 2009-03-08 02:18 -------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2009-03-08 02:17 . 2009-03-08 02:17 -------- d-----w c:\documents and settings\Jenn\Application Data\Dell
2009-03-08 02:17 . 2009-03-08 02:17 -------- d-----w c:\documents and settings\Jenn\Application Data\InstallShield
2009-03-08 02:13 . 2009-03-08 02:06 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-08 02:07 . 2009-03-08 02:07 -------- d-----w c:\program files\Broadcom
2009-03-08 02:00 . 2009-03-08 02:00 -------- d-----w c:\program files\Intel
2009-03-08 01:49 . 2009-03-08 01:49 -------- d-----w c:\program files\microsoft frontpage
2009-03-08 01:46 . 2009-03-08 01:46 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 10:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-03-30 01:21 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2005-03-30 01:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"Google Update"="c:\documents and settings\Jenn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-01 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-01 81920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2008-11-03 1745648]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-08-01 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-08-01 67584]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-05-06 405504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-8 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-3-7 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

R3 0e7D;0e7D;c:\windows\system32\0e7D.sys [2009-04-24 04:05 54624]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - 02633
*NewlyCreated* - 51B35
*NewlyCreated* - 93C34
*Deregistered* - 02633
*Deregistered* - 93c34
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1343024091-682003330-1004.job
- c:\documents and settings\Jenn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-24 19:38]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-08 16:53]

2009-03-08 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-08 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 16:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-04-24 16:48
ComboFix-quarantined-files.txt 2009-04-24 22:48

Pre-Run: 100,905,758,720 bytes free
Post-Run: 100,989,476,864 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

277 --- E O F --- 2009-04-17 02:57

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:42 PM

Posted 25 April 2009 - 07:59 AM

I am seeing some odd files in your log that we need to take a closer look at.


Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/ind...howtopic=221937

File::
c:\windows\system32\drivers\gxvxcpkhbqltepxgiorgoxubqtvvmwrqhcxdy.sys.REN
c:\windows\system32\gxvxccounter.REN
c:\windows\system32\drivers\gxvxcmteyhltodotmrtlqtjlhmnkcbbglkbqb.sys.REN

Suspect::[52]
c:\windows\system32\a492F.sys
c:\windows\system32\0c82E.mht
c:\windows\system32\b2a28.sys
c:\windows\system32\59817.mht
c:\windows\system32\72616.sys
c:\windows\system32\c3015.mht
c:\windows\system32\0e7D.sys
c:\windows\system32\e51C.mht
c:\windows\system32\c231E.sys
c:\windows\system32\343E.mht
c:\windows\system32\719A9.sys
c:\windows\system32\c71A8.mht


Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 johnnyblaze1981

johnnyblaze1981
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 25 April 2009 - 01:41 PM

Hello Sam, I mistakenly sent you the log to the server and it went through. I realized it was the wrong file and tried to send the rite one and kept gettin error saying could not connect to server. The error number was blank. I tried multiple times without success. I will keep retrying. Thank you for your attention and patience. Could not appreciate it more. Should file be uploaded here or .....

#7 johnnyblaze1981

johnnyblaze1981
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 25 April 2009 - 02:30 PM

The bleeping computer team has sent me an email saying they cannot send a file that big, and asked me to see if we could find another way of sending the file. Whatever way you think is the best and safest. Thanks again for your time Sam. File size is 9,418kb

Edited by johnnyblaze1981, 25 April 2009 - 04:25 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:42 PM

Posted 25 April 2009 - 05:02 PM

No problem. Let's trim it down.


Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/ind...howtopic=221937

Suspect::[52]
c:\windows\system32\a492F.sys
c:\windows\system32\b2a28.sys
c:\windows\system32\e51C.mht


Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 johnnyblaze1981

johnnyblaze1981
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 26 April 2009 - 09:28 PM

All The files you last requested Sam uploaded to the server. Thanx again bud. :thumbup2:

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:42 PM

Posted 27 April 2009 - 05:09 PM

While those files are suspicious, I don't find any indication that they are malicious. So for now at least, we'll leave them alone.

Please post a new log from Combofix.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:42 PM

Posted 14 May 2009 - 11:16 AM

Unfortunately there has been no response. :thumbup2:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users