Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a NTOSKRNL-HOOK rootkit


  • This topic is locked This topic is locked
59 replies to this topic

#1 JadeSymDragon

JadeSymDragon

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 25 July 2009 - 02:23 PM

I have ran multiple McAfee virus scans which have shown positive with the NTOSKRNL virus, supossedly removing them. Yet, when I run the scan again, the virus is still there. In addition, whenever I try to open up my laptop normally, (running Vista) the login screen crashes and shows a blue screen talking about a crash dump. Then the laptop restarts again. At the moment I am in safe mode. Please help me fix this problem.

Here is the DDS.txt


DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by kevin at 10:37:42.75 on Wed 07/15/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.2511 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.EXE
C:\Windows\helppane.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\kevin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Skytel] Skytel.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: psfus - c:\windows\system32\psqlpwd.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\kevin\appdata\roaming\mozilla\firefox\profiles\ra3ovgvv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-3-26 31784]
S2 ihjcwnlolarop;ihjcwnlolarop;c:\windows\system32\drivers\uarchveme.sys [2009-7-9 72960]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-16 210216]
S2 NvcRpcServer;Nortel CVC Service;c:\program files\nortel networks\NvcRpcSvr.exe [2008-3-26 71176]
S2 zlsidc;zlsidc;c:\windows\system32\drivers\yxkrghejy.sys [2009-7-13 71808]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-13 29744]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-3-26 148232]

=============== Created Last 30 ================

2009-07-15 10:11 213,024 -------- c:\windows\system32\drivers\str.sys
2009-07-15 10:07 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-14 22:34 <DIR> --d----- c:\programdata\WindowsSearch
2009-07-14 20:31 <DIR> --d----- c:\users\kevin\appdata\roaming\Malwarebytes
2009-07-14 20:31 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 20:31 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-14 20:31 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-14 20:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 20:31 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-14 20:30 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-14 20:22 <DIR> --ds---- C:\Combo-Fix
2009-07-14 18:31 219,648 a------- c:\windows\PEV.exe
2009-07-14 18:31 161,792 a------- c:\windows\SWREG.exe
2009-07-14 18:31 98,816 a------- c:\windows\sed.exe
2009-07-14 14:41 <DIR> --d----- c:\users\kevin\appdata\roaming\WinBatch
2009-07-13 21:59 71,808 a------- c:\windows\system32\drivers\yxkrghejy.sys
2009-07-09 09:26 72,960 a------- c:\windows\system32\drivers\uarchveme.sys
2009-07-07 18:59 <DIR> --d----- c:\programdata\Citrix
2009-07-07 18:59 <DIR> --d----- c:\progra~2\Citrix
2009-07-07 18:55 <DIR> --d----- c:\program files\Citrix
2009-07-07 18:55 61,224 a------- c:\users\kevin\GoToAssistDownloadHelper.exe
2009-06-17 22:33 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-17 22:33 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-17 22:32 <DIR> --d----- c:\program files\iPod
2009-06-17 22:32 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-17 22:32 <DIR> --d----- c:\program files\iTunes
2009-06-17 22:32 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-17 22:32 <DIR> --d----- c:\program files\Bonjour
2009-06-17 22:24 <DIR> --d----- c:\programdata\Apple Computer
2009-06-16 13:14 97,800 a------- c:\windows\system32\infocardapi.dll
2009-06-16 13:14 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-16 13:14 622,080 a------- c:\windows\system32\icardagt.exe
2009-06-16 13:14 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-06-16 13:14 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-06-16 13:14 11,264 a------- c:\windows\system32\icardres.dll
2009-06-16 13:14 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-06-16 13:14 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-06-16 13:04 96,760 a------- c:\windows\system32\dfshim.dll
2009-06-16 13:04 282,112 a------- c:\windows\system32\mscoree.dll
2009-06-16 13:04 41,984 a------- c:\windows\system32\netfxperf.dll
2009-06-16 13:03 158,720 a------- c:\windows\system32\mscorier.dll
2009-06-16 13:03 83,968 a------- c:\windows\system32\mscories.dll
2009-06-15 16:08 <DIR> --d----- c:\program files\Cheat Engine 5.4

==================== Find3M ====================

2009-06-17 22:31 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-17 22:31 86,016 a------- c:\windows\inf\infstor.dat
2009-06-17 22:31 51,200 a------- c:\windows\inf\infpub.dat
2009-05-01 16:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 16:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 16:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 16:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 16:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 16:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 16:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-30 07:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 07:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-24 11:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 11:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 08:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 07:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 07:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 06:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-04-20 01:29 366 a------- c:\program files\conquer.ini
2008-12-23 19:30 174 a--sh--- c:\program files\desktop.ini
2008-12-23 10:08 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-20 16:11 32 a------- c:\programdata\ezsid.dat
2008-03-20 16:11 32 a------- c:\progra~2\ezsid.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:41:48.62 ===============

Thank you for your help.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:18 AM

Posted 04 August 2009 - 04:55 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 JadeSymDragon

JadeSymDragon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 04 August 2009 - 05:21 PM

Thank you for your response fireman4it! I am still having the same problems with the blue screen and the restarting as well as the NTOSKRNL-HOOK rootikit showing up on McAfee scans. Very rarely, after the computer restarts about 20 times the computer will stop the blue screens and allow me to start windows normally. The only other option is safe mode. Thank you for any help! Here is the DDS and attachment.

DDS (Ver_09-07-30.01) - NTFSx86
Run by kevin at 17:04:49.02 on Tue 08/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.854 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nortel Networks\NvcRpcSvr.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Users\kevin\Downloads\CoRevolution\CoRevolution.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe
C:\Program Files\Common Files\ParetoLogic\PLAVEngine\ScanningProcess.exe
C:\Program Files\Common Files\ParetoLogic\PLAVEngine\ScanningProcess.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Users\kevin\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Skytel] Skytel.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ParetoLogic Anti-Virus PLUS] "c:\program files\paretologic\anti-virus plus\Pareto_AV.lnk" -NM -hidesplash
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\INetHTTPFilter.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: psfus - c:\windows\system32\psqlpwd.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\kevin\appdata\roaming\mozilla\firefox\profiles\ra3ovgvv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-16 210216]
R2 NvcRpcServer;Nortel CVC Service;c:\program files\nortel networks\NvcRpcSvr.exe [2008-3-26 71176]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-3-26 31784]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-13 29744]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-3-26 148232]

=============== Created Last 30 ================

2009-08-04 13:16 2,200 a------- C:\rollback.ini
2009-08-04 12:59 <DIR> --d----- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-08-04 12:59 <DIR> --d----- c:\programdata\ParetoLogic
2009-08-04 12:59 <DIR> --d----- c:\program files\ParetoLogic
2009-08-04 12:59 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-08-04 12:59 <DIR> --d----- c:\progra~2\ParetoLogic Anti-Virus PLUS
2009-08-04 12:59 <DIR> --d----- c:\progra~2\ParetoLogic
2009-07-29 22:07 <DIR> --ds---- C:\Combo-Fix
2009-07-29 22:07 318,976 a------- c:\windows\system32\CF21477.exe
2009-07-29 21:59 318,976 a------- c:\windows\system32\CF19949.exe
2009-07-29 21:50 318,976 a------- c:\windows\system32\CF18127.exe
2009-07-29 21:38 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-07-16 19:45 127 a------- c:\windows\system32\MRT.INI
2009-07-15 15:45 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 15:45 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 15:45 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 15:45 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-15 15:34 <DIR> --dsh--- c:\users\kevin\appdata\roaming\lowsec
2009-07-14 22:34 <DIR> --d----- c:\programdata\WindowsSearch
2009-07-14 20:31 <DIR> --d----- c:\users\kevin\appdata\roaming\Malwarebytes
2009-07-14 20:31 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 20:31 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-14 20:31 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-14 20:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 20:31 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-14 20:30 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-14 18:31 219,648 a------- c:\windows\PEV.exe
2009-07-14 18:31 161,792 a------- c:\windows\SWREG.exe
2009-07-14 18:31 98,816 a------- c:\windows\sed.exe
2009-07-14 14:41 <DIR> --d----- c:\users\kevin\appdata\roaming\WinBatch
2009-07-07 18:59 <DIR> --d----- c:\programdata\Citrix
2009-07-07 18:59 <DIR> --d----- c:\progra~2\Citrix
2009-07-07 18:55 <DIR> --d----- c:\program files\Citrix
2009-07-07 18:55 61,224 a------- c:\users\kevin\GoToAssistDownloadHelper.exe

==================== Find3M ====================

2009-07-18 11:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 11:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 04:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-06-17 22:31 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-17 22:31 86,016 a------- c:\windows\inf\infstor.dat
2009-06-17 22:31 51,200 a------- c:\windows\inf\infpub.dat
2009-04-20 01:29 366 a------- c:\program files\conquer.ini
2008-12-23 19:30 174 a--sh--- c:\program files\desktop.ini
2008-12-23 10:08 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-20 16:11 32 a------- c:\programdata\ezsid.dat
2008-03-20 16:11 32 a------- c:\progra~2\ezsid.dat
2008-01-19 02:38 587,776 a----r-- c:\users\kevin\appdata\roaming\sdra64.exe
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 17:15:37.45 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 05 August 2009 - 03:23 PM

Hello.

You appear to have ran Combofix before. Do you still have the log I can see?

It should be located in your C:\ drive entitled Combofix.txt.

Then, please run a rootkit scan for me.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 JadeSymDragon

JadeSymDragon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 05 August 2009 - 09:21 PM

Thanks extremeboy for your response!

Here is the GMER scan results. Unfortunately the combofix.txt cannot be uploaded. The computer states when I try to open it that the file is being used by another process. Should I run combo-fix again? Thank you for your help.

GMER 1.0.15.15011 [s7zo84in.exe] - http://www.gmer.net
Rootkit scan 2009-08-05 21:16:48
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8FA9D4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8FA9D498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8FA9D4AC]
Code 86B21FD8 ZwEnumerateKey
Code 86A78CF8 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8FA9D53C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8FA9D57F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8FA9D470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8FA9D484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8FA9D512]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8FA9D5A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8FA9D593]
Code 86B21CA6 ZwSaveKey
Code 86ADF83E ZwSaveKeyEx
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8FA9D4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8FA9D4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8FA9D56B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8FA9D552]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8FA9D528]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8FA9D4C2]
Code 86A7281D IofCallDriver
Code 86A7C876 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE [156] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [244] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [552] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\winlogon.exe [592] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [640] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\lsass.exe [684] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\lsm.exe [692] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\agrsmsvc.exe [832] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [884] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [928] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\Ati2evxx.exe [984] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1068] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1100] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\RtHDVCpl.exe [1156] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1164] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1216] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\SLsvc.exe [1260] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1316] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1372] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\Ati2evxx.exe [1388] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\McAfee\MPF\MPFSrv.exe [1436] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Protector Suite QL\upeksvr.exe [1440] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [1456] 0x005D0000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1504] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [1764] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\System32\spoolsv.exe [1920] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1944] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [1984] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\rundll32.exe [2008] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\Dwm.exe [2084] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\ltmoh\ltmoh.exe [2120] 0x002A0000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Nortel Networks\NvcRpcSvr.exe [2248] 0x00180000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Apoint2K\Apoint.exe [2256] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Toshiba\IVP\ISM\pinger.exe [2344] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2408] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [2420] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ c:\Toshiba\IVP\swupdate\swupdtmr.exe [2452] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2512] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\TODDSrv.exe [2544] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe [2564] 0x00CA0000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2624] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2640] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [2668] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\SearchIndexer.exe [2692] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe [2732] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [2932] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [3088] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [3368] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\taskeng.exe [3444] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe [3460] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Windows\system32\taskeng.exe [3560] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\ConfigFree\NDSTray.exe [3948] 0x01EF0000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ c:\PROGRA~1\mcafee.com\agent\mcagent.exe [3980] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Windows Media Player\wmpnscfg.exe [4108] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\Utilities\KeNotify.exe [4260] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [4284] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\Power Saver\TPwrMain.exe [4292] 0x003A0000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\SmoothView\SmoothView.exe [4376] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\FlashCards\TCrdMain.exe [4392] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [4408] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [4416] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Protector Suite QL\psqltray.exe [4440] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [4448] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [4508] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [4520] 0x003C0000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Windows Sidebar\sidebar.exe [4528] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe [4548] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\McAfee\MSK\MskSrver.exe [4656] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Apoint2K\ApMsgFwd.exe [4860] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe [5236] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Apoint2K\Apntex.exe [5568] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe [5772] 0x01C30000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [5944] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [5992] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [6096] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Users\kevin\Desktop\s7zo84in.exe [7228] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Toshiba\IVP\ISM\ivpsvmgr.exe [24108] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Common Files\ParetoLogic\PLAVEngine\ScanningProcess.exe [33312] 0x001B0000
Library \\?\globalroot\systemroot\system32\geyekraixpqvlp.dll (*** hidden *** ) @ C:\Program Files\Common Files\ParetoLogic\PLAVEngine\ScanningProcess.exe [34636] 0x00C40000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\geyekrcebwqmcm.sys (*** hidden *** ) [SYSTEM] geyekrwwyvfmer <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 05 August 2009 - 09:25 PM

Hello.

Please delete Combofix.exe you currently have. Re-download it follow the steps below.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 JadeSymDragon

JadeSymDragon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 06 August 2009 - 12:46 PM

Thanks extremeboy for your response.

When I run combo-fix, the computer restarts because it states that it needs an administrator command prompt. I am an administrator. Then the computer restarts and when it attempts to open up to the login page it goes through the same blue screen (when I run combo-fix in safe mode). I do not understand why now it will not come up with the log file. I have tried running combo-fix in safe mode, but it continuously gives the same effect. What should I do next?

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 06 August 2009 - 09:09 PM

Hello.

Let's delete that Combofix.txt file with Hijackthis.

Download and Delete File on Reboot with Hijackthis

Click here to download HijackThis Installer.
Save HJTInstall.exe to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis
Let it be installed to the default and follow the prompts to install it.
After the final dialogue box it will launch HijackThis.

Click the Open the Misc Tools Section
Then click the Delete a File on Reboot... option.
A Windows explorer window shall appear.
Please Browse to your C:\ drive and then find the Combofix.txt log file. High-light the file by clicking it once.
Now press Open.

You will then recieve a warning saying something like:
"The file 'C:\Combofix.txt' will be deleted by windows when system restarts"
Do you want to restart your computer now?"


Please make sure you save any open documents and clsoe them; then say Yes.
Your system shall now restart. Let it restart and once you are back up, please do the following:

Delete and Re-run Combofix
Delete the exisiting Combofix.exe you currently have and re-download a new copy from one of those 2 links.

Now run Combofix.exe again like before and post the Combofix log once it's complete please.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 JadeSymDragon

JadeSymDragon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 06 August 2009 - 09:48 PM

Thank you extremeboy for your response.

When I try to delete the file, the computer states that the combo.txt file is in use by another program. I am in safe mode and in the task manager there are no files that are using the combo.txt file. What should I do? When I attempt to open the file using notepad it once again states that the file is in use by another program. Thank you for any help.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 07 August 2009 - 12:05 PM

Hello.

Did you use Hijackthis delete on reboot function to delete Combofix.txt?

Please do that, refer to my preivous instructions on doing so.

~Eb
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 JadeSymDragon

JadeSymDragon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 August 2009 - 12:12 PM

Thank you extremeboy for your response.

Yes I did try to use the hijackthis to try to delete the file, but the program would not allow me to do so because of the fact that the file was being used by another program. When I go to the C:\ drive and then find the Combofix.txt log file it does not allow me to continue the deletion process. While I am doing this, I do not have combofix.txt open. Sorry for being unclear in my previous post.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 07 August 2009 - 12:44 PM

Hello.

My instructions above may not have been very clear. See if this works instead.

Start HiJackThis & go to Open the Misc Tools Section >> Delete a file on reboot...
  • In the popup box that appears, copy/paste in:
    • C:\ComboFix.txt
  • Click the Open button.
  • Click YES when prompted to restart your computer.
Let me know how it goes.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 JadeSymDragon

JadeSymDragon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 August 2009 - 12:56 PM

Thank you extremeboy for your response.

Yes I did exactly as your instructions have stated. When I click open for the combofix.txt file this is the message which appears when I am trying to the delete the file using HijackThis:

ComboFix
The File is in use.
Enter a new name or close the file that's open in another program.

What should I do next?

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 07 August 2009 - 01:16 PM

Hello.

I have asked the creator of Combofix, and he would like you to run this tool please.

This tool will reboot the machine automatically and mmediately after it's completion, so please save any work before running it.

Download this tool from here: http://download.bleepingcomputer.com/sUBs/...omboFix.txt.exe

Save it to your desktop. Right-click on that tool and select run as administrator.

let it run and reboot your machine. Once it's done, let me know if the Combofix.txt is gone.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 JadeSymDragon

JadeSymDragon
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 August 2009 - 02:14 PM

Thank you extremeboy for your response.

The combofix.txt has been successfully deleted. I have download the new ComboFix. When I run ComboFix, in the middle it continuously crashes without the blue screen and the computer just turns off without shutting down fully. The computer continuously crashes sometimes a few seconds after I open it up.

In addition the ComboFix program shows this constantly when it is working before it begins the scan.

Access Denied. Administrator permission are needed to use the selected options. Use an administrator command prompt to complete these tasks.

I will continue to try to get the ComboFix log, but is there any way to prevent ComboFix from showing this message?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users