Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown Rootkit

  • This topic is locked This topic is locked
2 replies to this topic

#1 Turnkeys


  • Members
  • 2 posts
  • Local time:01:43 PM

Posted 01 August 2009 - 08:15 PM

Hello and thanks for your attention. This is the first one I've encountered I haven't been able to clean myself, and I've been at this a while. After nearly a week of research and various attempts, I've had to admit that this one has stumped me.

I think it's a rootkit related to the FFSearch.dll click fraud scheme, but I can't be sure. I also can't yet provide either a HJ or MBAM log, as it terminates their processes and then hides the apps from windows. So, I'll give you what I have, and perhaps one of you can suggest a scanner that will provide a better look.

I have a WinXP Media Edition system. SP3, 2005 Media Edition Rollup (I think, the latest available.) Dual Core, 4GB Ram.
I see browser hijacks in IE7 and Firefox, though more in IE7. Google searches are redirected when clicked on to either Info.com sites or Malwareremovalbot.com for any related searches. I've since installed Google's Chrome for browser searches.

AVG's Anti-Rootkit (Free ver) reports two hidden files but is unable to clean them.
C:windowswin32k.sys:2 and

Viewing the process list with Process Explorer, I see what appears to be a randomly named DLL called by a device at the global root.
Library ?globalrootDevice__max++>7274DC02.x86.dll (*** hidden *** ) @ C:WINDOWSSystem32svchost.exe
As the attached logs will show, it's hooked all over.

I have renamed HJ and the MBAM installer trying to get a successful run, but they're also terminated. Scans with McAffee, Super Anti Spyware, Spybot Search & Destroy and Blacklight were also terminated. Additionally, I was unable to run the DDS scan (With McAffee's script blocking disabled). I can view scans with RootRepeal and Gmer, as long as I don't run a file scan.

Attached File  RootRepeal_report_08_01_09__12_15_17_.txt   58.61KB   16 downloads
Attached File  GMERScan.txt.txt   174KB   7 downloads
Attached File  ProcExpCapture.JPG   243KB   5 downloads

Since I can't yet provide comprehensive scans, I've sort of compiled this from memory of my efforts over the past week. I've also attempted various scans from Hiren's Mini XP enviroment, and a BartPE boot as well as Safe Mode. As I can recall, safe mode loads the injected stream as well.

I look forward to any suggestions.
Thank you.

Out of impatience and stubbornness, I tried a few more scans. Though it hadn't removed all of the problem files on it's first scans, I noticed some that had been previously removed had been replaced, presumably from other copies. I ran it again and allowed it to reboot as soon as it detected and stopped the first stream. The next boot appears cleaner. I managed to get HT and DDS to run successfully. I'll try MBAM soon.

Attached File  DDS.txt   18.26KB   1 downloads
Attached File  Attach.txt   13.9KB   11 downloads

I'm unable to attach an additional file ATM....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:03 PM, on 8/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
k:Program FilesSoftexOmniPassOmniserv.exe
C:Program FilesCommon FilesiS3Anti-SpywareSZServer.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:Program FilesCreativeShared FilesCTAudSvc.exe
C:Program FilesCreativeShared FilesModule LoaderDLLML.exe
C:Program FilesAcronisTrueImageHomeTrueImageMonitor.exe
K:Program Filesr2 StudiosStartup DelayerStartup Launcher GUI.exe
C:Program FilesDigital Media Readerreadericon45G.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe
C:Program FilesCommon FilesAcronisSchedule2schedul2.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesCreativeFatal1ty Professional Laser Mousectusbms.exe
C:Program FilesCommon FilesAcronisSchedule2schedhlp.exe
C:Program FilesAcronisTrueImageHomeTimounterMonitor.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesMcAfee.comAgentmcagent.exe
K:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
C:Program FilesCommon FilesPortrait DisplaysSharedDTSRVC.exe
C:Program FilesWestern DigitalWD Drive ManagerWDBtnMgrUI.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
K:Program FilesInput DirectorIDWinService.exe
C:Program FilesJavajre6binjqs.exe
K:Program FilesInput DirectorInputDirectorSessionHelper.exe
C:Program FilesCommon FilesAOLScreensaverygpsstra.exe
K:Program FilesLogMeInx86RaMaint.exe
K:Program FilesMicrosoft ActiveSyncwcescomm.exe
K:Program FilesSandboxieSbieCtrl.exe
C:Documents and SettingsDefaultLocal SettingsApplication DataGoogleUpdate1.2.183.7GoogleCrashHandler.exe
C:Program FilesCreativeFatal1ty Professional Laser MouseCTFaMicetra.exe
K:Program FilesLogMeInx86LogMeIn.exe
K:Program FilesLogMeInx86LMIGuardian.exe
C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
C:Program FilesMcAfeeVirusScanMcShield.exe
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Program FilesNetLimiter 2 Monitornlsvc.exe
k:Program FilesSandboxieSbieSvc.exe
C:Program FilesNetLimiter 2 MonitorNLClient.exe
C:Program FilesCommon FilesAcronisFomatikTrueImageTryStartService.exe
C:Program FilesBelkin Bulldog Plusupsd.exe
C:Program FilesViewpointCommonViewpointService.exe
C:Program FilesWestern DigitalWD Drive ManagerWDBtnMgrSvc.exe
C:Program FilesIntelIntelDHIntelŽ Quick Resume TechnologyELService.exe
C:Program FilesCommon FilesPure Networks SharedPlatformnmsrvc.exe
C:Program FilesRaxcoPerfectDiskPDSched.exe
K:Program FilesSTOPzilla!STOPzilla.exe
K:Program FilesSTOPzilla!SZOptions.exe
C:Program FilesCommon FilesiS3Anti-SpywareSZScanner.exe
C:Program FilesGrisoftAVG Anti-Rootkit Freeavgarkt.exe
C:Program FilesGrisoftAVG Anti-Rootkit FreeTvdJP8lY.exe
C:Documents and SettingsDefaultLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsDefaultLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:DOCUME~1DefaultLOCALS~1TempTemporary Directory 1 for HiJackThis.zipHijackThis.exe
C:DOCUME~1DefaultLOCALS~1TempTemporary Directory 2 for HiJackThis.zipHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.google.com/ie
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.google.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,Default_Search_URL = http://www.google.com/ie
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.google.com/ie
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - K:Program FilesSTOPzilla!SZSG.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - K:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScanscriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - K:Program FilesSTOPzilla!SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - K:Program FilesSTOPzilla!SZSG.dll
O4 - HKLM..Run: [AudioDrvEmulator] "C:Program FilesCreativeShared FilesModule LoaderDLLML.exe" -1 AudioDrvEmulator "C:Program

FilesCreativeShared FilesModule LoaderAudio EmulatorAudDrvEm.dll"
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKLM..Run: [TrueImageMonitor.exe] C:Program FilesAcronisTrueImageHomeTrueImageMonitor.exe
O4 - HKLM..Run: [Synchronization Manager] %SystemRoot%system32mobsync.exe /logon
O4 - HKLM..Run: [StartupDelayer] "K:Program Filesr2 StudiosStartup DelayerStartup Launcher GUI.exe"
O4 - HKLM..Run: [readericon] "C:Program FilesDigital Media Readerreadericon45G.exe"
O4 - HKLM..Run: [RCSystem] "C:Program FilesCreativeShared FilesModule LoaderDLLML.exe" RCSystem * -Startup
O4 - HKLM..Run: [OSSelectorReinstall] "C:Program FilesCommon FilesAcronisAcronis Disk Directoross_reinstall.exe"
O4 - HKLM..Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..Run: [IAAnotif] "C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe"
O4 - HKLM..Run: [CTDVDDET] "C:Program FilesCreativeSound Blaster X-FiDVDAudioCTDVDDET.EXE"
O4 - HKLM..Run: [CreativeMS2020] C:Program FilesCreativeFatal1ty Professional Laser Mousectusbms.exe
O4 - HKLM..Run: [AcronisTimounterMonitor] C:Program FilesAcronisTrueImageHomeTimounterMonitor.exe
O4 - HKLM..Run: [Acronis Scheduler2 Service] "C:Program FilesCommon FilesAcronisSchedule2schedhlp.exe"
O4 - HKLM..Run: [UserFaultCheck] %systemroot%system32dumprep 0 -u
O4 - HKLM..Run: [mcagent_exe] C:Program FilesMcAfee.comAgentmcagent.exe /runkey
O4 - HKLM..Run: [AppleSyncNotifier] C:Program FilesCommon FilesAppleMobile Device SupportbinAppleSyncNotifier.exe
O4 - HKLM..Run: [WD Drive Manager] C:Program FilesWestern DigitalWD Drive ManagerWDBtnMgrUI.exe
O4 - HKLM..Run: [nwiz] C:Program FilesNVIDIA CorporationnViewnwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKCU..Run: [You've Got Pictures Screensaver] C:Program FilesCommon FilesAOLScreensaverygpsstra.exe
O4 - HKCU..Run: [H/PC Connection Agent] "K:Program FilesMicrosoft ActiveSyncwcescomm.exe"
O4 - HKCU..Run: [SandboxieControl] "k:Program FilesSandboxieSbieCtrl.exe"
O4 - HKCU..Run: [Google Update] "C:Documents and SettingsDefaultLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" /c
O4 - HKUSS-1-5-21-2671305814-3460863845-914233096-1008..Run: [You've Got Pictures Screensaver] C:Program FilesCommon

FilesAOLScreensaverygpsstra.exe (User '?')
O4 - HKUSS-1-5-21-2671305814-3460863845-914233096-1008..Run: [H/PC Connection Agent] "K:Program FilesMicrosoft ActiveSyncwcescomm.exe" (User '?')
O4 - HKUSS-1-5-21-2671305814-3460863845-914233096-1008..Run: [SandboxieControl] "k:Program FilesSandboxieSbieCtrl.exe" (User '?')
O4 - HKUSS-1-5-21-2671305814-3460863845-914233096-1008..Run: [Google Update] "C:Documents and SettingsDefaultLocal SettingsApplication

DataGoogleUpdateGoogleUpdate.exe" /c (User '?')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:WINDOWSsystem32GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - K:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:Program FilesCommon FilesSourceTecSWF CatcherInternetExplorer.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - K:PROGRA~1MICROS~2INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~4OFFICE11REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - K:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - K:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - K:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - K:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:Program FilesCommon FilesSourceTecSWF

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:Program FilesCommon FilesSourceTecSWF

O10 - Unknown file in Winsock LSP: c:program filescommon filesis3anti-spywareis3lsp.dll
O10 - Unknown file in Winsock LSP: c:program filescommon filesis3anti-spywareis3lsp.dll
O10 - Unknown file in Winsock LSP: c:program filescommon filesis3anti-spywareis3lsp.dll
O10 - Unknown file in Winsock LSP: c:program filescommon filesis3anti-spywareis3lsp.dll
O10 - Unknown file in Winsock LSP: c:program filescommon filesis3anti-spywareis3lsp.dll
O10 - Unknown file in Winsock LSP: c:program filescommon filesis3anti-spywareis3lsp.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) -

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:Program FilesCommon FilesAcronisSchedule2schedul2.exe
O23 - Service: Active WebCam Watchdog (ACTIVEWEBCAMWATCHDOG) - PY Software - K:Program FilesActive WebCamWatchdog.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - K:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:Program FilesCommon FilesCreative Labs SharedServiceCTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:WINDOWSsystem32CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:Program FilesCreativeShared FilesCTAudSvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:Program FilesCommon FilesPortrait DisplaysSharedDTSRVC.exe
O23 - Service: IntelŽ Quick Resume Technology Drivers (ELService) - Intel Corporation - C:Program FilesIntelIntelDHIntelŽ Quick Resume

O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: IntelŽ Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel

O23 - Service: Input Director Service (InputDirector) - Unknown owner - K:Program FilesInput DirectorIDWinService.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - K:Program FilesLogMeInx86RaMaint.exe
O23 - Service: LogMeIn Service (LogMeIn) - LogMeIn, Inc. - K:Program FilesLogMeInx86LogMeIn.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:PROGRA~1McAfeeVIRUSS~1mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:Program FilesMcAfeeVirusScanMcShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:Program FilesMcAfeeMPFMPFSrv.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:Program FilesNetLimiter 2 Monitornlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:Program FilesCommon FilesNeroLibNMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:Program FilesCommon FilesPure Networks

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - k:Program FilesSoftexOmniPassOmniserv.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:Program FilesRaxcoPerfectDiskPDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:Program FilesRaxcoPerfectDiskPDSched.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:WINDOWSsystem32srvany.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS
O23 - Service: PRTG Watchdog (prtgwatchservice) - Unknown owner - C:Program FilesPRTG Traffic Grapherwatchdogprtgwatchdog.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:Program FilesWinPcaprpcapd.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - k:Program FilesSandboxieSbieSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - K:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - K:Program FilesSpyware DoctorpctsSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:Program FilesCommon FilesiS3Anti-SpywareSZServer.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:Program FilesCommon

O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:Program FilesBelkin Bulldog Plusupsd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:Program FilesViewpointCommonViewpointService.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:Program FilesWestern DigitalWD Drive ManagerWDBtnMgrSvc.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:Program FilesWindows DefenderMsMpEng.exe

End of file - 20638 bytes

Merged posts. ~ OB

Edited by Orange Blossom, 01 August 2009 - 11:41 PM.

BC AdBot (Login to Remove)


#2 thcbytes


  • Malware Response Team
  • 14,790 posts
  • Gender:Male
  • Local time:03:43 PM

Posted 10 August 2009 - 01:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!


#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:43 PM

Posted 20 August 2009 - 08:50 PM

Due to lack of feedback, this topic has been closed.
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users