Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Here's My Hijackthis Log


  • Please log in to reply
15 replies to this topic

#1 Goat Fish

Goat Fish

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:09 AM

Posted 26 July 2009 - 09:47 AM

I'd like to say about how long ago this began, but I'm not sure, it's been an on again, off again issue that I just can't seem to fix.
My computer has a lot of suspicious files, a slew of processes running in Task manager that seem unnecessary, and are unexplainable. I take a lot time to look each process up, but most of the names have several different descriptions, usually one saying "Do not close this process!", and even though it wasn't there yesterday, and I've never seen it before, or done anything differently I can't be sure, so I leave it alone.

My McAfee finds a lot of Trojans, to name some Generic Rootkit.d!rootkit (Trojan), FakeAlert-SpywareGuard.gen.b (Trojan), DNSChanger!u(Trojan), DNSchanger!u(Trojan).
It finds these exact ones, exact file names ect, and removes, or Quarantines them over and over again.

I also have Avast and Ad-Aware installed in my computer (I don't run any of these at the same time, I promise), and they also find multiple Trojans that they just straight can't get rid of.
This is the file that they they continue to call out, but not remove, or quarantine, or "move to chest"
uacjwyldlpvkjksyxcuk.dll
I'm sorry, that file name was one McAfee called up, the Ad-Aware version is the same except for the "uac" part, and the Avast program finds it as the same without the "uacj" part. I don't know how much a difference that makes.

Also, GoogleInstaller keeps encountering problems and shutting down...I don't even know why it's open.
And Internet Explorer also keeps opening on its own, playing sound clips from various things (like the movie trailer for that new Adam Sandler and Seth Rogan film), and then if I don't shut it down manually in Task Manager it encounters a problem and shuts down. Keep in mind it never opens a window, just the sound clip. Really weird. I even pulled the plug on my internet (I don't know why I thought that was going to make a difference) but it continued to open and act like it was still connected.
When my internet was disconnected I kept receiving a pop up that informed me that Comcast Tool bar had an update and that I should "click here" to install it. I've been having Comcast Tool Bar related issues since the day the Comcast guy came and installed it.
He'd suggested replacing my outdated Nortons with McAfee but didn't tell me this until after I was on-line, I removed one, got a blue screen, task manager was disabled, a whole bunch of really messed up icons (delself) appeared, and my Administrator account was bumped down and a new Administrator appeared. I went through a lot to try to get rid of that issue, but I'm convinced that I was still infected. That's been since around this time last year, so there's a good chance that whatever is wrong with my computer is related to that in some way, which is why I'm telling you guys about it.

I have run hijackthis, so rather then just try to explain it I'll post that and let it do my explaining for me. Thank you ahead of time, to anyone that helps me. I've been beating my head against a wall with this thing forever it seems.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:33 PM, on 7/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKLM\..\Policies\Explorer\Run: [vUDNTe1yOv] C:\Documents and Settings\All Users\Application Data\pslebgds\xifwpqfi.exe
O4 - S-1-5-18 Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZCfox000
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...403/mcfscan.cab
O20 - AppInit_DLLs: karna.dat
O21 - SSODL: commntcmd - {6CAAFDFF-727E-3975-C65F-08A97AE6783B} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9e61e3199dac6) (gupdate1c9e61e3199dac6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 10120 bytes

BC AdBot (Login to Remove)

 


m

#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 AM

Posted 05 August 2009 - 03:49 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 Goat Fish

Goat Fish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:09 AM

Posted 06 August 2009 - 08:53 AM

All right...detailed explanation of what's going on with my computer.

Nothing is really different, McAfee continues to find and remove the same Trojan.
Generic Rootkit.d!rootkit (Trojan)
file name: NTOSKRNL -HOOK

Every two or three minutes internet explorer opens up (always in pairs) and starts playing commercials, movie trailers, internet radio, and other assorted sound bites. I don't use Internet Explorer, so it just does this without any help from me, it doesn't open up any windows so if I didn't go into task manager I wouldn't know where the noise was coming from. It doesn't always play sounds sometimes it just opens up in there, but you always hear the "Click!" sound. If I do happen to have Internet Explorer open it just opens another one.

I can not run a disk clean up, I cannot analyze for defrag, I cannot defrag.

This is all I can really remember right now, this and whatever I posted before. Nothing has really changed for my computer.
I didn't want to do anything to it, because I didn't want to mess anything up, or have anything be too different from what I posted previously.

Oh...there is one more thing, my roommate said that I might have to reformat, in which case I don't have a start up disk, I know you're supposed to make one as soon as you get your computer, but I didn't have full control or authority over my computer until my ex-husband and I parted ways last June...at least two years after my computer had been up and running.
If it does come down to reformatting do you guys have any idea what I can do to save my computer?



DDS (Ver_09-07-30.01) - NTFSx86
Run by Compaq_Owner at 9:16:02.40 on Thu 08/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.960 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090806-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uWindow Title = Windows Internet Explorer provided by Comcast
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCfox000&fl=0&ptb=FrvHOnNOwGP7xFGNjthBdw&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [PCDrProfiler]
mRun: [<NO NAME>]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mExplorerRun: [vUDNTe1yOv] c:\documents and settings\all users\application data\pslebgds\xifwpqfi.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\wkcalrem.lnk - c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZCfox000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5403/mcfscan.cab
AppInit_DLLs: karna.dat
SSODL: commntcmd - {6CAAFDFF-727E-3975-C65F-08A97AE6783B} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\dkvqgc9o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net?cid=NET_mmhpset
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-28 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-24 114768]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-12 201320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-24 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-24 138680]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-12 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-10-12 144704]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-24 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-24 352920]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-12 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-12 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-12 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-12 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-12 40488]
S2 gupdate1c9e61e3199dac6;Google Update Service (gupdate1c9e61e3199dac6);c:\program files\google\update\GoogleUpdate.exe [2009-6-5 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]

=============== Created Last 30 ================

2009-07-26 08:59 <DIR> --d----- c:\program files\iPod
2009-07-26 08:59 <DIR> --d----- c:\program files\iTunes
2009-07-12 03:31 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-07-12 03:31 <DIR> --d----- c:\documents and settings\compaq_owner\.housecall6.6
2009-07-07 13:38 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-08-01 19:18 21,454 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 13:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-07-01 19:02 1 a------- c:\windows\system32\drivers\SKYNETneqrsbmg.sys
2009-07-01 18:54 158,574 a------- c:\windows\system32\SKYNETyjlabaop.dat
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-02 22:07 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-14 17:55 245,408 a------- c:\windows\system32\unicows.dll
2008-10-16 00:28 16,384 ac-sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-10-16 00:28 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101620081017\index.dat
2008-10-27 10:06 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102720081028\index.dat

============= FINISH: 9:18:15.25 ===============



Should I include that Attachment Only file that it brought up as well?
Thank You very much for taking the time to help me, I really appreciate it.


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:09 AM

Posted 06 August 2009 - 09:41 PM

Hello, Goat Fish :thumbup2:

Do you use any Disk Emulation programs, such as Daemon Tools, or Alcohol 120%? These types of applications can sometimes cause that detection.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:09 AM

Posted 06 August 2009 - 11:44 PM

Sorry -- I've just been informed of a problem with the above instructions. Please use these instead:

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 Goat Fish

Goat Fish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:09 AM

Posted 11 August 2009 - 02:15 PM

Sorry that I haven't checked this sooner. My computer froze the other day and I was honestly just afraid to try to turn it back on.

I did the RootRepeal thing, but I must ask what is an "API"? Just curious really, when it says "Locked to API!" Or "Invisible to API!" what's it referring to? I mean, I could guess me, or McAfee...but at this point I think my McAfee and my Ad-Aware are part of the problem...

Well...anyhow, here's the report


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/11 15:05
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Not hooked

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Not hooked

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Not hooked

#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Not hooked

#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Not hooked

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Not hooked

#: 258 Function Name: NtTerminateThread
Status: Not hooked

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Not hooked

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Not hooked

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked


Oh, and you asked me if I had any Disk Emulation programs, such as Daemon Tools, or Alcohol 120%, what are those? I don't think I do, but if I did...what would they be and how would I know?

Well, anyway thank you so very much for helping me! You are a godsend.

I'm sorry, but I just looked at what it saved when I hit save report, it doesn't look like what I saw when it was done scanning...so I'm going to post the other note pad that popped up on the screen as well. I'm sure one of these two will be what you're looking for.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/11 14:43
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4FD5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE20000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3A80000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACcoxgppirpkecncubo.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACeqsoinntjajxllste.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACitwrdkkuyjelmxoee.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjwyldlpvkjksyxcuk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClnrgjiqwsbbwalkxx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACngqrsowpuhsrjmged.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACstpybypfwdhenolio.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcmsc_fcek6oyabofx1uv
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_xv2g6kwtceujfdq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\UAC361e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UAClqmtjnjcyuuxlmnto.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\compaq_owner\local settings\temp\~df4ce9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\UAC9e48.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\compaq_owner\local settings\temp\etilqs_omo9gcgdswprztywt2b8
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\compaq_owner\local settings\temp\etilqs_oyve3lki0jf4t0ugaprf
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\compaq_owner\local settings\temp\~df39c7.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\uacjwyldlpvkjksyxcuk.dll.f376ca4a672e76102b96ef6c3247e0.aawqff
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: winlogon.exe (PID: 716) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: winlogon.exe (PID: 716) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: services.exe (PID: 764) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: services.exe (PID: 764) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: lsass.exe (PID: 776) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: lsass.exe (PID: 776) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAClnrgjiqwsbbwalkxx.dll]
Process: svchost.exe (PID: 956) Address: 0x00b80000 Size: 73728

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: svchost.exe (PID: 956) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: svchost.exe (PID: 956) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACjwyldlpvkjksyxcuk.dll]
Process: svchost.exe (PID: 956) Address: 0x00ad0000 Size: 81920

Object: Hidden Module [Name: UACitwrdkkuyjelmxoee.dll]
Process: svchost.exe (PID: 956) Address: 0x02ba0000 Size: 217088

Object: Hidden Module [Name: UAC361e.tmpdkkuyjelmxoee.dll]
Process: svchost.exe (PID: 956) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: svchost.exe (PID: 1056) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: svchost.exe (PID: 1056) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC361e.tmpdkkuyjelmxoee.dll]
Process: svchost.exe (PID: 1056) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: svchost.exe (PID: 1156) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: svchost.exe (PID: 1156) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC361e.tmpdkkuyjelmxoee.dll]
Process: svchost.exe (PID: 1156) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: svchost.exe (PID: 1244) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: svchost.exe (PID: 1244) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC361e.tmpdkkuyjelmxoee.dll]
Process: svchost.exe (PID: 1244) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: svchost.exe (PID: 1352) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: svchost.exe (PID: 1352) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC361e.tmpdkkuyjelmxoee.dll]
Process: svchost.exe (PID: 1352) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: aswUpdSv.exe (PID: 1444) Address: 0x00a30000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: aswUpdSv.exe (PID: 1444) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: ashServ.exe (PID: 1552) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: ashServ.exe (PID: 1552) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: spoolsv.exe (PID: 1792) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: spoolsv.exe (PID: 1792) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: svchost.exe (PID: 504) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: svchost.exe (PID: 504) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC361e.tmpdkkuyjelmxoee.dll]
Process: svchost.exe (PID: 504) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: mDNSResponder.exe (PID: 564) Address: 0x00810000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: mDNSResponder.exe (PID: 564) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: jqs.exe (PID: 1132) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: jqs.exe (PID: 1132) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: mcmscsvc.exe (PID: 1952) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: mcmscsvc.exe (PID: 1952) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: mcnasvc.exe (PID: 1972) Address: 0x00b20000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: mcnasvc.exe (PID: 1972) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: mcproxy.exe (PID: 148) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: mcproxy.exe (PID: 148) Address: 0x00900000 Size: 49152

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: McShield.exe (PID: 220) Address: 0x007d0000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: McShield.exe (PID: 220) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: nvsvc32.exe (PID: 260) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: nvsvc32.exe (PID: 260) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: sprtsvc.exe (PID: 328) Address: 0x00a70000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: sprtsvc.exe (PID: 328) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: svchost.exe (PID: 480) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: svchost.exe (PID: 480) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC361e.tmpdkkuyjelmxoee.dll]
Process: svchost.exe (PID: 480) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: ashMaiSv.exe (PID: 2272) Address: 0x00a60000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: ashMaiSv.exe (PID: 2272) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: ashWebSv.exe (PID: 2448) Address: 0x00a80000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: ashWebSv.exe (PID: 2448) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: alg.exe (PID: 2932) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: alg.exe (PID: 2932) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: svchost.exe (PID: 3384) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: svchost.exe (PID: 3384) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UACitwrdkkuyjelmxoee.dll]
Process: svchost.exe (PID: 3384) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: MPFSrv.exe (PID: 272) Address: 0x00990000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: MPFSrv.exe (PID: 272) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: mcsysmon.exe (PID: 2168) Address: 0x00950000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: mcsysmon.exe (PID: 2168) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: mcagent.exe (PID: 1264) Address: 0x00e00000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: mcagent.exe (PID: 1264) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: Explorer.EXE (PID: 1672) Address: 0x00d30000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: Explorer.EXE (PID: 1672) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: McAfeeDataBackup.exe (PID: 3076) Address: 0x00f10000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: McAfeeDataBackup.exe (PID: 3076) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: jusched.exe (PID: 3156) Address: 0x00c80000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: jusched.exe (PID: 3156) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: ashDisp.exe (PID: 2096) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: ashDisp.exe (PID: 2096) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: chrome.exe (PID: 1272) Address: 0x00b50000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: chrome.exe (PID: 1272) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: chrome.exe (PID: 3732) Address: 0x00ba0000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: chrome.exe (PID: 3732) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: RootRepeal.exe (PID: 3140) Address: 0x00bc0000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: RootRepeal.exe (PID: 3140) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACngqrsowpuhsrjmged.dll]
Process: AppleMobileDeviceService.exe (PID: 2640) Address: 0x007d0000 Size: 49152

Object: Hidden Module [Name: UACeqsoinntjajxllste.dll]
Process: AppleMobileDeviceService.exe (PID: 2640) Address: 0x10000000 Size: 45056

==EOF==


There, that's what I first saw when the scan was done. I hope it's all helpful to you.

Edited by Goat Fish, 11 August 2009 - 02:25 PM.


#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:09 AM

Posted 11 August 2009 - 03:16 PM

Hello, Goat Fish :thumbup2:
API == Application Programming Interface
See the Wiki -> http://en.wikipedia.org/wiki/Application_p...mming_interface

Windows NT ( and derivatives 2000, XP, Vista, and 7 ) has two apis .. one internal API, and the public API. The public API is the Windows API. The undocumented api is almost completely contained inside NTDLL.DLL which is located in your system32 folder.

Rootrepeal is reporting the lock, because often malware locks files in order to prevent their removal by Anti Malware applications. Of course, we've got some picks for those locks :)

The second report was the right one :)

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :cool:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 Goat Fish

Goat Fish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:09 AM

Posted 14 August 2009 - 11:38 AM

All right, I ran combofix and all that stuff. Hopefully everything went well.

ComboFix 09-08-10.06 - Compaq_Owner 08/14/2009 11:37.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1446 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner\My Documents\Downloads\GlobRemover.exe.exe
AV: avast! antivirus 4.8.1335 [VPS 090813-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\akl
c:\program files\akl\akl.dll
c:\program files\akl\akl.exe
c:\program files\akl\uninstall.exe
c:\program files\akl\unsetup.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\04640842.dat
c:\program files\GetModule
c:\program files\GetModule\dicik.gz
c:\program files\GetModule\kwdik.gz
c:\program files\Inet Delivery
c:\program files\Inet Delivery\inetdl.exe
c:\program files\Inet Delivery\intdel.exe
c:\windows\a.bat
c:\windows\base64.tmp
c:\windows\bdn.com
c:\windows\FVProtect.exe
c:\windows\iTunesMusic.exe
c:\windows\mslagent
c:\windows\mslagent\2_mslagent.dll
c:\windows\mslagent\mslagent.exe
c:\windows\mslagent\uninstall.exe
c:\windows\mssecu.exe
c:\windows\run.log
c:\windows\system32\akttzn.exe
c:\windows\system32\anticipator.dll
c:\windows\system32\awtoolb.dll
c:\windows\system32\bdn.com
c:\windows\system32\bsva-egihsg52.exe
c:\windows\system32\dpcproxy.exe
c:\windows\system32\drivers\SKYNETneqrsbmg.sys
c:\windows\system32\drivers\UAClqmtjnjcyuuxlmnto.sys
c:\windows\system32\emesx.dll
c:\windows\system32\hoproxy.dll
c:\windows\system32\hxiwlgpm.dat
c:\windows\system32\hxiwlgpm.exe
c:\windows\system32\medup012.dll
c:\windows\system32\medup020.dll
c:\windows\system32\msgp.exe
c:\windows\system32\msnbho.dll
c:\windows\system32\mssecu.exe
c:\windows\system32\msvchost.exe
c:\windows\system32\mtr2.exe
c:\windows\system32\mwin32.exe
c:\windows\system32\netode.exe
c:\windows\system32\newsd32.exe
c:\windows\system32\ps1.exe
c:\windows\system32\psof1.exe
c:\windows\system32\psoft1.exe
c:\windows\system32\regc64.dll
c:\windows\system32\regm64.dll
c:\windows\system32\Rundl1.exe
c:\windows\system32\SKYNETpxuldawk.dll
c:\windows\system32\SKYNETwmnaunwo.dll
c:\windows\system32\SKYNETxjextjts.dat
c:\windows\system32\SKYNETyjlabaop.dat
c:\windows\system32\smp
c:\windows\system32\smp\msrc.exe
c:\windows\system32\sncntr.exe
c:\windows\system32\ssurf022.dll
c:\windows\system32\ssvchost.com
c:\windows\system32\ssvchost.exe
c:\windows\system32\sysreq.exe
c:\windows\system32\taack.dat
c:\windows\system32\taack.exe
c:\windows\system32\temp#01.exe
c:\windows\system32\thun.dll
c:\windows\system32\thun32.dll
c:\windows\system32\UACcoxgppirpkecncubo.dat
c:\windows\system32\UACeqsoinntjajxllste.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACitwrdkkuyjelmxoee.dll
c:\windows\system32\UACjwyldlpvkjksyxcuk.dll
c:\windows\system32\UAClnrgjiqwsbbwalkxx.dll
c:\windows\system32\UACngqrsowpuhsrjmged.dll
c:\windows\system32\UACstpybypfwdhenolio.db
c:\windows\system32\uactmp.db
c:\windows\system32\VBIEWER.OCX
c:\windows\system32\vbsys2.dll
c:\windows\system32\vcatchpi.dll
c:\windows\system32\wini10451631.exe
c:\windows\system32\winlogonpc.exe
c:\windows\system32\winsystem.exe
c:\windows\system32\WINWGPX.EXE
c:\windows\userconfig9x.dll
c:\windows\wiaservv.log
c:\windows\winsystem.exe
c:\windows\zip1.tmp
c:\windows\zip2.tmp
c:\windows\zip3.tmp
c:\windows\zipped.tmp
D:\Autorun.inf


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETcfemaqel
-------\Legacy_SKYNETcfemaqel
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_CD_PROXY


((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-14 15:35 . 2009-08-14 15:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2009-08-11 18:42 . 2009-08-11 18:42 0 ----a-w- c:\documents and settings\Compaq_Owner\settings.dat
2009-07-26 12:59 . 2009-07-26 12:59 -------- d-----w- c:\program files\iPod
2009-07-26 12:59 . 2009-07-26 12:59 -------- d-----w- c:\program files\iTunes
2009-07-24 20:23 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-24 20:23 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-24 20:23 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-24 20:23 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-24 20:23 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-24 20:23 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-24 20:23 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-24 20:23 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-24 20:22 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 15:05 . 2008-10-11 16:57 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\ComcastToolbar
2009-08-13 21:24 . 2007-01-16 17:41 21620 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-08-13 13:17 . 2009-03-28 16:40 -------- d-----w- c:\program files\Lavasoft
2009-08-05 09:01 . 2004-08-04 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 12:59 . 2008-03-10 19:39 -------- d-----w- c:\program files\Common Files\Apple
2009-07-25 18:36 . 2006-08-31 06:31 -------- d-----w- c:\program files\music_now
2009-07-25 18:35 . 2009-03-26 15:22 -------- d-----w- c:\program files\Xvid
2009-07-25 18:35 . 2006-08-31 06:42 -------- d-----w- c:\program files\Microsoft Works
2009-07-25 18:35 . 2006-08-31 06:41 -------- d-----w- c:\program files\MSN Encarta Standard
2009-07-25 18:35 . 2009-03-10 22:24 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-25 18:35 . 2006-08-31 06:53 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2009-07-25 18:35 . 2007-09-01 00:19 -------- d-----w- c:\program files\DivX
2009-07-25 18:35 . 2008-10-11 16:57 -------- d-----w- c:\program files\ComcastToolbar
2009-07-24 01:51 . 2006-08-31 06:33 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-24 01:46 . 2008-01-07 12:47 -------- d-----w- c:\program files\Blurty
2009-07-17 19:01 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 11:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 07:31 . 2009-07-12 07:31 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-07-07 17:36 . 2006-08-31 06:09 -------- d-----w- c:\program files\Java
2009-07-07 17:17 . 2009-07-07 17:17 152576 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-03 17:09 . 2004-08-04 11:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 11:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 11:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-04 11:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 11:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-06-14 03:43 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2008-03-10 19:39 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2004-08-04 11:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 15:33 . 2009-01-10 16:53 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-31 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-09 1519616]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-6-23 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-31 27136]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/24/2009 4:23 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2009 4:23 PM 20560]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9e61e3199dac6;Google Update Service (gupdate1c9e61e3199dac6);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2009 4:42 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKLM-Run-PCDrProfiler - (no file)
HKLM-Explorer_Run-vUDNTe1yOv - c:\documents and settings\All Users\Application Data\pslebgds\xifwpqfi.exe
SSODL-commntcmd-{6CAAFDFF-727E-3975-C65F-08A97AE6783B} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCfox000&fl=0&ptb=FrvHOnNOwGP7xFGNjthBdw&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZCfox000
FF - ProfilePath - c:\docume~1\COMPAQ~1\APPLIC~1\Mozilla\Firefox\Profiles\dkvqgc9o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net?cid=NET_mmhpset
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 11:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(808)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
.
**************************************************************************
.
Completion time: 2009-08-14 12:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-14 16:05

Pre-Run: 55,871,848,448 bytes free
Post-Run: 57,054,584,832 bytes free

293 --- E O F --- 2009-08-13 03:02

Edited by Goat Fish, 14 August 2009 - 11:45 AM.


#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:09 AM

Posted 14 August 2009 - 01:06 PM

Hello, Goat Fish :)
:thumbup2: How are things running now?

Please post a fresh rootrepeal log:

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply, please include the following:
  • RootRepeal Log
  • ESET OnlineScan's Log

Billy3

Edited by Billy O'Neal, 14 August 2009 - 01:06 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Goat Fish

Goat Fish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:09 AM

Posted 16 August 2009 - 08:48 PM

Error- invalid PE image found! 21:24:50 (This happened when I opened it)


Here is the report, I hope that it bares good news.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/16 21:27
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB5295000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE3A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2715000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcafee_epf0ffmly81rzi2
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62ac6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62ac574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62aca52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62ac14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62ac64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62ac08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62ac0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62ac76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62ac72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb62ac8ae

==EOF==

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:09 AM

Posted 16 August 2009 - 09:14 PM

Don't worry about the message :thumbup2: The log indicates that the rootkit driver has been removed, which is what we are looking for :) (The remaining hooks are installed by Avast AntiVirus' Self Protection Module).

Please run the ESET steps.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Goat Fish

Goat Fish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:09 AM

Posted 19 August 2009 - 07:20 AM

I promise that I haven't forgotten or abandoned my quest to get rid off the malware, I have been trying to run the ESET that you asked me too, but it doesn't seem to be working out for me.

The first time it scanned, it got to about 20% then just sort of sat there for a long time. The second time, it took it six hours to get past 20% then someone overloaded the breaker in my house and my computer was a casualty of that. Then the third time I tried to run it I got to 20% and once again it just sat there. It's running right now, hopefully it'll be a little swifter, and if not no one trips my breaker.

I disabled my Avast thinking that might help it out, I'm afraid to disable McAfee too.

I just wanted you to know that I'm working on it, and that I will post the report as soon as I get it. Just don't give up on me.


#13 Goat Fish

Goat Fish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:09 AM

Posted 21 August 2009 - 02:00 PM

O.K. I got the scan to work, however it didn't let me log it. I thought I followed the directions to the "T", but I guess I messed up somewhere. The good news is that it didn't discover any infections. If you want I can run it again and see if this time I can get some sort of report to show you. It's still installed in my computer...even though I checked the "uninstall on close" option. Hmmm....
Well, let me know. Once again I'm soooo sorry that I had such a hard time getting it to work.

Thanks Again,
Tanya


#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:09 AM

Posted 21 August 2009 - 05:29 PM

Hello, Goat Fish.

Not a problem :) The log is only produced if there are infections found.

Congratulations! You now appear clean! :thumbup2:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).

Edited by Billy O'Neal, 21 August 2009 - 05:29 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Goat Fish

Goat Fish
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:07:09 AM

Posted 23 August 2009 - 10:49 AM

It seems that there's something wrong with the links for OTCleanIt , I keep getting a "Not Found" response when I click on them.
I took your advice on the StarupLite, and plan on installing one of the anti-spyware programs you mentioned, but is that going to work well with Avast and McAfee or should I uninstall Avast?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users