Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked; Generic Rootkit.d!rootkit (NTOSKRNL-HOOK); certainly other probs.


  • Please log in to reply
1 reply to this topic

#1 pajuliet

pajuliet

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:CT, USA
  • Local time:06:03 AM

Posted 18 July 2009 - 12:45 AM

A. McAfee scan has found multiple instances of a “Generic Rootkit.d!rootkit”, which it calls NTOSKRNL-HOOK, and classifies as a Trojan. It has both eliminated and quarantined them.
1) As many as 2 to 5 have been found at once.
2) Once “removed,” they appear again in no time.
B. McAfee – Update Error
“An error occurred in updating. Please reinstall these programs:
- McAfee Security Center”
NOT DONE – Expected to be repetitive.
C. Defrag – no access
1) Norton Speed Disk won’t start. Error Message:
“An unexpected error occurred while communicating with the Speed Disk Service (NOPDB.EXE). Please exit Speed Disk, restart the Speed Disk Service, and try again. If the problem persists, reinstall Speed Disk.”
Reinstalled Speed Disk. Same result.
2) Windows XP Accessories Disk Defragmenter Error message:
“Disk Defragmenter could not start.”
D. Backup – presently unable to back up.
1) My backup utility, XXCLONE, will not start. (Last backup was WAY too old.) It returns following Error Message from its initial disk scan:
“The source volume (C:) specified in the command line does not exist, or the volume label does not match. Therefore, it will be ignored.”
2) Windows XP Accessories backup component refused to start as well. Error message:
“The Backup Utility cannot connect to the Removable Storage service. This service is required for use of tape drives and other backup devices. Please exit and start the Removable Storage service using the System Services function of the Management Console.”
Started service. Allowed backup utility to start. It backed up over half of C: drive. But insufficient space on target drive. I mistakenly assumed it would have prepared the drive first...
3) Finally was able to copy all of C: drive to the F: drive, directory by directory, EXCEPT the Windows directory, which I omitted. Seemed that it would contain the brunt of what's wrong with this machine. But, should I copy it as well? Parts? I'd like to have copied all that should be copied before running scans. Please comment.
E. Formatting – Was initially unable to format. I attempted to format backup target drive F: on USB hard drive.
1) Windows Disk Management utility does not see ANY drives. Its window is BLANK.
2) Right-clicking F: in Explorer gave access to the format command. A Quick Format command produced this error message:
“Windows was unable to complete the format.”
3) I finally was able to format the F: drive but do not recall how :thumbup2: I then copied C: drive files to it as described in previous section.
F. Browser (Firefox)
1) Misdirection to other search or ad aggregation pages when clicking on Google search results ‘headlines’ links. Copy/pasting of the results’ urls works fine.
2) Numerous pop-ups
G. Email (Outlook)
1) Huge numbers of “Mail Undeliverable” messages in Inbox, sent to me and or my domain, returning obvious spam which I’ve had nothing to do with sending.
H. Taskbar Volume Control – instead of emitting the modulated confirming “beep,” a VERY loud , quick sharp shriek is heard when making an adjustment to volume.
I. Adobe Acrobat – .pdf files close unexpectedly.

But for the above-described problems, the system is basically, reasonably functional.

Posted this problem at another site first. I have de-activated that thread. At a helper's suggestion I had tried to run GMER.exe and Kapersky. Could not get either to even run.

Everyone's data is important; mine is terribly so. Please give this as much priority as you can.
Am in your hands.
Thank you,
pajuliet

DDS.txt follows:

DDS (Ver_09-06-26.01) - NTFSx86
Run by PNJ at 0:32:45.18 on Sat 07/18/2009
Internet Explorer: 7.0.5730.11

BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional

5.1.2600.2.1252.1.1033.18.1023.357 [GMT

-4:00]

AV: McAfee VirusScan *On-access scanning

enabled* (Outdated)

{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled*

{94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes

===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k

WudfServiceGroup
C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program

Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program

Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy

.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Norton SystemWorks\Norton

Utilities\NPROTECT.EXE
C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program

Files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\tsi32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program

Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program

Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Linksys Wireless-G Print

Server\PSDiagnosticM.exe
C:\Program Files\Common

Files\LogiShrd\LComMgr\Communications_Helpe

r.exe
C:\Program

Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba

Stack\TosBtMng.exe
C:\Program Files\Lexico\CleverKeys\CK.exe
C:\Program Files\Common

Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common

Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program

Files\vghd\VirtuaGirl_downloader.exe
C:\Program Files\Toshiba\Bluetooth Toshiba

Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba

Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba

Stack\TosBtHsp.exe
C:\Program Files\Common

Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Toshiba\Bluetooth Toshiba

Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba

Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba

Stack\tosBtProc.exe
C:\Program Files\Mozilla

Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft

Office\Office10\WINWORD.EXE
C:\Documents and

Settings\PNJ\Desktop\dds.scr

============== Pseudo HJT Report

===============

uStart Page = hxxp://my.yahoo.com/
uDefault_Page_URL =

hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride =

dynhost.inetcam.com;register.inetcam.com;*.

local
mWinlogon:

Userinit=userinit.exe,c:\windows\tsi32\tsir

cusr.exe
BHO: SnagIt Toolbar Loader:

{00c6482d-c502-44c8-8409-fce54ad9c208} -

c:\program files\techsmith\snagit

8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper:

{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -

c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dl

l
BHO: ContributeBHO Class:

{074c1dc5-9320-4a9a-947d-c042949c6216} -

c:\program files\adobe\/Adobe Contribute

CS3/contributeieplugin.dll
BHO: McAfee Phishing Filter:

{27b4851a-3207-45a2-b947-be8afe6163ab} -

c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Yahoo! IE Services Button:

{5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} -

c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB}

- No File
BHO: DriveLetterAccess:

{5ca3d70e-1895-11cf-8e15-001234567890} -

c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class:

{761497bb-d6f0-462c-b6eb-d4daf1d92d43} -

c:\program

files\java\jre1.6.0_02\bin\ssv.dll
BHO: scriptproxy:

{7db2d5a0-7241-4e79-b68d-6309f01c5231} -

c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper:

{9030d464-4c02-4abf-8ecc-5164760863c6} -

c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: File Print FedEx Kinko's:

{9566395f-43d2-4c64-b525-b501ffa276e2} -

mscoree.dll
BHO: Adobe PDF Conversion Toolbar Helper:

{ae7cd045-e861-484f-8273-0445ee161910} -

c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO:

{af69de43-7d58-4638-b6fa-ce66b5ad205d} -

c:\program

files\google\googletoolbarnotifier\5.1.1309

.3572\swg.dll
BHO: McAfee SiteAdvisor BHO:

{b164e929-a1b6-4a06-b104-2cd0e90a88ff} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CNavExtBho Class:

{bdf3e430-b101-42ad-a544-fadc6b084872} -

c:\program files\norton systemworks\norton

antivirus\NavShExt.dll
BHO: MyLogoHelper:

{ea4587eb-3106-448a-8b31-f1572e981765} -

c:\progra~1\edenso~1\MyLogo.dll
BHO: Google Audio Helper:

{f88849b8-9394-48ff-b0c7-5e5a55ca47fe} -

%SystemRoot%\system32\apphelp01.dll
TB: Easy-WebPrint:

{327c2873-e90d-4c37-aa9d-10ac9baba46c} -

c:\program

files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar:

{ef99bd32-c1fb-11d2-892f-0090271d4f88} -

c:\program

files\yahoo!\companion\installs\cpn\yt.dll
TB: File Print FedEx Kinko's:

{9566395f-43d2-4c64-b525-b501ffa276e2} -

mscoree.dll
TB: SnagIt:

{8ff5e183-abde-46eb-b09e-d2aab95cabe3} -

c:\program files\techsmith\snagit

8\SnagItIEAddin.dll
TB: PopUpCop:

{db43e4e6-ff8a-4018-8c8e-f68587a44a73} -

c:\progra~1\popupcop\PopUpCop.dll
TB: Adobe PDF:

{47833539-d0c5-4125-9fa8-0819e2eaac93} -

c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar:

{517bdde4-e3a7-4570-b21e-2b52b6139fc7} -

c:\program files\adobe\/Adobe Contribute

CS3/contributeieplugin.dll
TB: McAfee SiteAdvisor Toolbar:

{0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Norton AntiVirus:

{42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} -

c:\program files\norton systemworks\norton

antivirus\NavShExt.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}

- No File
EB: Adobe PDF:

{182ec0be-5110-49c8-a062-beb1d02a220b} -

c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
EB: &Yahoo! Messenger:

{4528bbe0-4e08-11d5-ad55-00010333d0ad} -

c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: Real.com:

{fe54fa40-d68c-11d2-98fa-00c0f0318afe} -

c:\windows\system32\Shdocvw.dll
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RunDLL32.exe

NvMCTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE

c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [IntelWireless] c:\program

files\intel\wireless\bin\ifrmewrk.exe /tf

Intel PROSet/Wireless
mRun: [Apoint] c:\program

files\apoint\Apoint.exe
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM]

c:\progra~1\common~1\adobe\adobev~1\server\

bin\VERSIO~2.EXE
mRun: [CanonSolutionMenu] c:\program

files\canon\solutionmenu\CNSLMAIN.exe

/logon
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [mcagent_exe] "c:\program

files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ISUSPM Startup]

c:\progra~1\common~1\instal~1\update~1\ISUS

PM.exe -startup
mRun: [KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k
mRun: [PSDiagnosticM] "c:\program

files\linksys wireless-g print

server\PSDiagnosticM.exe"
mRun: [LogitechCommunicationsManager]

"c:\program files\common

files\logishrd\lcommgr\Communications_Helpe

r.exe"
mRun: [LogitechQuickCamRibbon] "c:\program

files\logitech\quickcam\Quickcam.exe" /hide
StartupFolder:

c:\docume~1\pnj\startm~1\programs\startup\d

eskto~1.lnk - c:\program

files\vghd\vghd.exe
StartupFolder:

c:\docume~1\pnj\startm~1\programs\startup\i

s-k01dk.lnk - c:\documents and

settings\pnj\desktop\virus removal

tool\is-k01dk\startup.exe
StartupFolder: c:\documents and

settings\pnj\start

menu\programs\startup\PowerReg

Scheduler.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\star

tup\blueto~1.lnk - c:\program

files\toshiba\bluetooth toshiba

stack\TosBtMng.exe
StartupFolder:

c:\docume~1\alluse~1\startm~1\programs\star

tup\clever~1.lnk - c:\program

files\lexico\cleverkeys\CK.exe
uPolicies-system: EnableProfileQuota = 1

(0x1)
IE: &Yahoo! Search - file:///c:\program

files\yahoo!\Common/ycsrch.htm
IE: Append to existing PDF - c:\program

files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppen

d.html
IE: Convert link target to Adobe PDF -

c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECaptu

re.html
IE: Convert link target to existing PDF -

c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppen

d.html
IE: Convert selected links to Adobe PDF -

c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECaptu

reSelLinks.html
IE: Convert selected links to existing PDF

- c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppen

dSelLinks.html
IE: Convert selection to Adobe PDF -

c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECaptu

re.html
IE: Convert selection to existing PDF -

c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppen

d.html
IE: Convert to Adobe PDF - c:\program

files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECaptu

re.html
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~4\office10\EXCEL.EXE/300

0
IE: Easy-WebPrint Add To Print List -

c:\program

files\canon\easy-webprint\Resource.dll/RC_A

ddToList.html
IE: Easy-WebPrint High Speed Print -

c:\program

files\canon\easy-webprint\Resource.dll/RC_H

SPrint.html
IE: Easy-WebPrint Preview - c:\program

files\canon\easy-webprint\Resource.dll/RC_P

review.html
IE: Easy-WebPrint Print - c:\program

files\canon\easy-webprint\Resource.dll/RC_P

rint.html
IE: Linked Ima&ges - c:\program

files\ieimage\IEimage.htm
IE: Open Image in New Window -

c:\progra~1\popupcop\popupcop.dll/imagenew
IE: Yahoo! &Dictionary - file:///c:\program

files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program

files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program

files\yahoo!\Common/ycsms.htm
IE: {C642FC8F-CB75-4175-AC03-AA40F2D9308D}

- c:\program files\bytescout movies

extractor scout\flashextract.exe
IE: {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD}

- c:\program files\ieimage\IEimage.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583}

- %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}

- c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} -

c:\program

files\java\jre1.6.0_02\bin\npjpi160_02.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

- {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

- {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -

c:\windows\system32\Shdocvw.dll
Trusted Zone: aol.com\free
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: turbotax.com
Trusted Zone: windowsupdate.com\download
DPF: Microsoft XML Parser for Java
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4}

-

hxxp://download.microsoft.com/download/7/0/

7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/Virt

ualEarth3D.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}

-

hxxp://www.pcpitstop.com/pcpitstop/PCPitSto

p.CAB
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9}

-

file:///C:/Program%20Files/Monopoly/Images/

stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700}

-

hxxp://go.microsoft.com/fwlink/?linkid=3920

4
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

- c:\program

files\yahoo!\common\yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71}

-

hxxp://download.microsoft.com/download/F/6/

E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9

VCM.CAB
DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED}

-

hxxp://download.microsoft.com/download/f/0/

2/f02b515c-7076-4cee-bc08-fd6fea594578/Virt

ualEarth3D.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

-

hxxp://www.update.microsoft.com/microsoftup

date/v6/V5Controls/en/x86/client/wuweb_site

.cab?1189220628437
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

-

hxxp://www.update.microsoft.com/microsoftup

date/v6/V5Controls/en/x86/client/muweb_site

.cab?1189220548593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}

-

hxxp://java.sun.com/update/1.6.0/jinstall-1

_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

-

hxxp://java.sun.com/products/plugin/autodl/

jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}

-

hxxp://java.sun.com/update/1.5.0/jinstall-1

_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

-

hxxp://java.sun.com/update/1.6.0/jinstall-1

_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

-

hxxp://java.sun.com/update/1.6.0/jinstall-1

_6_0_02-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54}

-

file:///C:/Program%20Files/Monopoly/Images/

armhelper.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}

-

hxxp://download.microsoft.com/download/7/E/

6/7E6A8567-DFE4-4624-87C3-163549BE2704/clea

radj.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}

-

hxxps://intranets.webex.com/client/T23L/web

ex/ieatgpc.cab
TCP: NameServer =

85.255.112.232,85.255.112.234
TCP: {8C66A413-8F61-4707-980E-315FD4CAE4A4}

= 85.255.112.232,85.255.112.234
TCP: {9D14B209-E30C-4A45-8B59-FE03EC6526B4}

= 85.255.112.232,85.255.112.234
TCP: {D09D7F02-F45D-4291-99F9-18C28B83D630}

= 85.255.112.232,85.255.112.234
Handler: sacore -

{5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: IntelWireless - c:\program

files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll,

schannel.dll, digest.dll, msnsspc.dll,

ntoskrnl.dll

================= FIREFOX

===================

FF - ProfilePath -

c:\docume~1\pnj\applic~1\mozilla\firefox\pr

ofiles\8idhx9i7.default\
FF - prefs.js: browser.search.defaulturl -

hxxp://search.conduit.com/ResultsExt.aspx?c

tid=CT1792828&SearchSource=3&q=
FF - prefs.js:

browser.search.selectedEngine - Diigo

Customize Search
FF - prefs.js: browser.startup.homepage -

hxxp://my.yahoo.com/
FF - component: c:\documents and

settings\pnj\application

data\mozilla\firefox\profiles\8idhx9i7.defa

ult\extensions\{3d95bcc6-0cab-452e-ac6b-be7

dbaaf2aa7}\components\FFAlert.dll
FF - component: c:\program

files\mcafee\siteadvisor\components\McFFPlg

.dll
FF - component: c:\program files\mozilla

firefox\components\GoogleDesktopMozilla.dll
FF - plugin:

c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google

updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program

files\google\update\1.2.183.7\npGoogleOneCl

ick8.dll
FF - plugin: c:\program files\mozilla

firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla

firefox\plugins\npSeaTools_EN.dll
FF - plugin: c:\program files\virtual earth

3d\npVE3D.dll
FF - HiddenExtension: Java Console: No

Registry Reference - c:\program

files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0002

-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load

- true // Popupblocker control handled by

McAfee Privacy Service

============= SERVICES / DRIVERS

===============

R1

is-K01DKdrv;is-K01DKdrv;c:\windows\system32

\drivers\74383623.sys [2009-7-17 148496]
R1 mfehidk;McAfee Inc.

mfehidk;c:\windows\system32\drivers\mfehidk

.sys [2007-10-12 214024]
R1 TSIMSF5;Traveling Software Mouse Filter

Driver;c:\windows\system32\drivers\TSIMSF5.

sys [2005-10-15 5120]
R2

{95808DC4-FA4A-4c74-92FE-5B863F82066B};{958

08DC4-FA4A-4c74-92FE-5B863F82066B};c:\progr

am files\cyberlink\powerdvd\000.fcl

[2006-11-2 13560]
R2

Akamai;Akamai;c:\windows\system32\svchost.e

xe -k Akamai [2004-8-19 14336]
R2 McAfee SiteAdvisor Service;McAfee

SiteAdvisor Service;c:\program

files\mcafee\siteadvisor\McSACore.exe

[2008-12-25 210216]
R2 McProxy;McAfee Proxy

Service;c:\progra~1\common~1\mcafee\mcproxy

\mcproxy.exe [2007-10-12 359952]
R2 McrdSvc;Media Center Extender

Service;c:\windows\ehome\mcrdsvc.exe

[2005-8-5 99328]
R2 McShield;McAfee Real-time

Scanner;c:\progra~1\mcafee\viruss~1\mcshiel

d.exe [2007-10-12 144704]
R2 NProtectService;Norton Unerase

Protection;c:\program files\norton

systemworks\norton utilities\NPROTECT.EXE

[2009-6-19 135168]
R2

TSIREGMO;tsiregmo;c:\windows\system32\drive

rs\tsiregmo.sys [2005-10-15 5888]
R2

TSISER;TSISER;c:\windows\system32\drivers\t

siser.sys [2005-10-15 31740]
R2 TSISTRMX;Traveling Software Stream

Driver;c:\windows\system32\drivers\TSISTRMX

.SYS [2005-10-15 5120]
R3 lknuhst;Linksys Network USB Host

Controller;c:\windows\system32\drivers\lknu

hst.sys [2009-2-20 12032]
R3 LKNUHUB;Linksys Network USB Root

Hub;c:\windows\system32\drivers\lknuhub.sys

[2009-2-20 39424]
R3 McSysmon;McAfee

SystemGuards;c:\progra~1\mcafee\viruss~1\mc

sysmon.exe [2007-10-12 606736]
R3 mfeavfk;McAfee Inc.

mfeavfk;c:\windows\system32\drivers\mfeavfk

.sys [2007-10-12 79880]
R3 mfebopk;McAfee Inc.

mfebopk;c:\windows\system32\drivers\mfebopk

.sys [2007-10-12 35272]
R3 mfesmfk;McAfee Inc.

mfesmfk;c:\windows\system32\drivers\mfesmfk

.sys [2007-10-12 40552]
S1 TSIRCINK;Traveling Software Install

Driver;c:\windows\system32\drivers\TSIRCINK

.SYS [2005-10-15 9216]
S1 tsircmir;LapLink Mirror Driver

Miniport;c:\windows\system32\drivers\trircm

ir.sys -->

c:\windows\system32\drivers\trircmir.sys

[?]
S2 gupdate1c9bc9ba8cebd66;Google Update

Service (gupdate1c9bc9ba8cebd66);c:\program

files\google\update\GoogleUpdate.exe

[2009-4-13 133104]
S2 navapsvc;Norton AntiVirus Auto Protect

Service;c:\program files\norton

systemworks\norton antivirus\Navapsvc.exe

[2001-8-16 115792]
S2 portD;CMS PortIO

Service;c:\windows\system32\drivers\portd2k

.sys -->

c:\windows\system32\drivers\portd2k.sys [?]
S2 SBService;ScriptBlocking

Service;c:\progra~1\common~1\symant~1\scrip

t~1\SBServ.exe [2001-8-13 54408]
S3 aawservice;aawservice;c:\program

files\lavasoft\ad-aware 2007\aawservice.exe

[2007-8-27 566616]
S3 AngelUsb;Angel USB MPEG

Device;c:\windows\system32\drivers\AngelUsb

.sys [2005-10-8 375424]
S3 CTMSFSYN;Creative SoundFont

Synth;c:\windows\system32\drivers\CTMSFSYN.

SYS [2005-1-31 159104]
S3 LKNUCMP;Linksys Network USB Composite

Device;c:\windows\system32\drivers\lknucmp.

sys [2009-2-20 14848]
S3 mferkdk;McAfee Inc.

mferkdk;c:\windows\system32\drivers\mferkdk

.sys [2007-10-12 34216]
S3

NAVAP;NAVAP;c:\windows\system32\drivers\NAV

AP.SYS [2001-8-3 182896]
S3

NAVENG;NAVENG;c:\progra~1\common~1\symant~1

\virusd~1\20010808.016\NAVENG.SYS

[2009-6-19 65920]
S3

NAVEX15;NAVEX15;c:\progra~1\common~1\symant

~1\virusd~1\20010808.016\NAVEX15.SYS

[2009-6-19 491712]
S4

RosettaStoneLtdController;RosettaStoneLtdCo

ntroller;c:\program

files\rosettastoneltdservices\RosettaStoneL

tdController.exe [2007-9-13 354672]

=============== Created Last 30

================

2009-07-17 15:53 148,496 a-------

c:\windows\system32\drivers\74383623.sys
2009-07-16 19:36 20,777 a-------

c:\windows\system32\93809819[1].gif
2009-07-12 17:31 54,156 a---h---

c:\windows\QTFont.qfn
2009-07-12 17:31 1,409 a-------

c:\windows\QTFont.for
2009-06-25 08:32 28 a-------

c:\docume~1\pnj\applic~1\messanger4.dat
2009-06-23 18:57 <DIR> --d-----

c:\program files\XXCLONE
2009-06-22 16:32 1,487 --------

c:\docume~1\pnj\applic~1\messanger1.dat
2009-06-22 16:32 0 --------

c:\docume~1\pnj\applic~1\messanger2.dat
2009-06-19 22:47 <DIR> --d-----

c:\program files\Startup Optimizer
2009-06-19 07:39 34,354 a-------

c:\windows\system32\drivers\NPDRIVER.SYS
2009-06-19 07:38 31,744 a-------

c:\windows\system32\S32STAT.DLL
2009-06-19 07:38 182,784 a-------

c:\windows\system32\ddao35.dll
2009-06-19 07:38 13,792 a-------

c:\windows\system32\drivers\qdfsdrv.sys
2009-06-19 07:38 86,016 a-------

c:\windows\system32\apitrap.dll
2009-06-19 07:38 94,208 a-------

c:\windows\system32\qdcsinet.dll
2009-06-19 07:36 120,379 a-------

c:\windows\system32\SYMEVNT.386
2009-06-19 07:36 57,696 a-------

c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-19 07:36 36,864 a-------

c:\windows\system32\S32EVNT1.DLL
2009-06-19 07:36 4,032 a-------

c:\windows\system32\SYMEVNT1.DLL
2009-06-19 07:16 591,660 a-------

c:\windows\_detmp.1
2009-06-19 07:16 128,000 a-------

c:\windows\_detmp.2

==================== Find3M

====================

2009-07-17 14:09 0 a-------

c:\windows\system32\drivers\lvuvc.hs
2009-07-17 14:09 0 a-------

c:\windows\system32\drivers\logiflt.iad
2009-06-30 15:09 53,854 a-------

c:\windows\system32\nvModes.dat
2009-06-23 01:13 9,728 ---sh---

c:\program files\Thumbs.db
2009-06-17 23:22 40,960 a-------

c:\windows\system32\sys.dat
2009-05-01 17:02 90,112 a-------

c:\windows\system32\dpl100.dll
2009-05-01 17:02 823,296 a-------

c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a-------

c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a-------

c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a-------

c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a-------

c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a-------

c:\windows\system32\DivX.dll
2009-04-15 19:52 109,560 --------

c:\docume~1\pnj\applic~1\GDIPFONTCACHEV1.DA

T
2008-12-09 12:31 61,224 --------

c:\documents and

settings\pnj\GoToAssistDownloadHelper.exe
2007-10-02 17:07 56,912 --------

c:\documents and settings\pnj\g2mdlhlpx.exe
2007-08-15 17:20 784 --------

c:\docume~1\pnj\applic~1\mpauth.dat
2006-09-25 10:06 251 --------

c:\program files\wt3d.ini
2006-09-04 15:40 0 --------

c:\docume~1\pnj\applic~1\Install.dat
2006-03-26 15:49 2,748,058

-------- c:\program

files\6255i_Manual.pdf
2005-12-29 17:06 56 ---shr--

c:\windows\system32\93D8BBD9C6.sys
2007-08-08 19:12 56 ---shr--

c:\windows\system32\DA9627613C.sys
2007-08-08 19:12 4,182 a--sh---

c:\windows\system32\KGyGaAvL.sys
2007-12-12 19:08 16,384 a--sh---

c:\windows\temp\cookies\index.dat
2007-12-12 19:08 16,384 a--sh---

c:\windows\temp\history\history.ie5\index.d

at
2007-12-12 19:08 32,768 a--sh---

c:\windows\temp\temporary internet

files\content.ie5\index.dat

============= FINISH: 0:34:23.45

===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:03 AM

Posted 28 July 2009 - 08:42 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users