Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTosKrnl-Hook UACD.SYS WJQS.EXE Generic RootKit.d!RootKit


  • This topic is locked This topic is locked
17 replies to this topic

#1 RikCab

RikCab

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:12 PM

Posted 09 August 2009 - 12:51 AM

Attached File  Attach.zip   4.33KB   1 downloadsThis was a redirect by OBlossom,

Hi
Hope you can help. I clicked on a link to a web page that I shouldn't have and got a popup saying I needed to update my Adobe, thinking all was ok! When I did that another popup came and said I may be infected and it wanted me to click on their link. Which I didn't, instead I tried closing the windows, even with Ctrl-Alt-Del, it wouldn't let me.
Then returning to desktop, McAfee said something wanted access and if I allowed. Again, no! The only way out was a reboot, which took some time to shutdown. When the system came back on I got a window saying Google installer had a problem and had to close, never had that before. It did have a "more info" link, which I clicked and a new window opened up saying something about UACD.SYS & WJQS.EXE! I found them in the registry, I knew I had a problem.
After running McAfee it said something about NTOSKRNL-HOOK and Generic RootKit.d!RootKit. Needless to say I am here. I would continue to get that popup, about Google Installer needing to close. Also when I did a search and would click on a link I would get the "WindowsClick" and was redirected to another web page.
Ok, try to shorten it, I tried a lot and nothing seemed to help. Until I read here and ran ComboFix, it seemed to work! Had to make note of some files "UAC******.dll and one UAC******.dat another was Service_Uac.sys, the "*" equals random letters. I also ran Kaspersky Online Scan 7.0 and my McAfee again. Everything seems great; system is running normal and no more redirecting. Also, the two file listed in the Registry "UACD.SYS" and "WJQS.EXE" are both gone. Also, ComboFix had placed the files I had to write down into a folder called C:\Qoobox\Quarantine.
I have the log file from ComboFix; I was hoping that someone could check it for me. Also, I was hoping to be able to just delete the whole directory "C:\Qoobox\, not sure if that is acceptable. I read here a lot about different things I needed to do, it was also very helpful and informative. The firewall setting, the privacy setting, disabling the restore point before doing all this stuff. You guys are really great!

After first contact;

Update, I ran the DDS log and Attach.zip and have them here as directed by Orange Blossom. I just wanted to add I was at MicroSoft and ran their online scan, through "Malicious Software Removal Tool" It took a very longtime, aka, I slept! to run, but it found more trouble! FIles listed as follows,

Trojan Win32/Alureon.BD
.BF
.gen!C
.gen!R
.gen!U
Trojan WinNT/Alureon.D

It said it was unable to remove 3 files, .gen!C , .gen!R , gen!U. I am also able to run MalWareBytes now, it found one problem and took care of it. I've attach my DDS and my zipped ATTACH file. I will attach my latest ComboFix Log, when asked. I have only accessed my email, to get out here. I am worried about doing any type of banking ect... You guys are great, I thank you and to Orange Blossom, thanks again....

have a great night.
Rik



DDS File follows;



DDS (Ver_09-07-30.01) - NTFSx86
Run by Richie at 16:37:22.76 on Sat 08/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.460 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Richie\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\WINDOWS\system32\spider.exe
C:\Documents and Settings\Richie\Desktop\dds for HJT.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1227789090&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D680107031&id=64855
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Upromise IE Toolbar: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cdloader] "c:\documents and settings\richie\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NortonAntiBot] "c:\program files\symantec\norton antibot\agent\bin\NortonAntiBot.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\richie\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} - hxxp://econetreports.ecolab.com/viewer9/activeXViewer/activexviewer.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196535412608
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://www.taxsimple.org/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://support.magicjack.com/jre-1_5_0_14-windows-i586-p.exe
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} - hxxp://fdl.msn.com/public/investor/v13/ticker.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5182/mcfscan.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by127fd.bay127.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richie\applic~1\mozilla\firefox\profiles\jo4cc0kk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://watch-movies-links.net/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-23 201320]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-23 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-23 144704]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 SymantecAntiBotWatcher;SymantecAntiBotWatcher;c:\program files\symantec\norton antibot\agent\bin\NABWatcher.exe [2008-9-8 539160]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-23 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-23 40488]
R3 SymantecAntiBotDriver;SymantecAntiBotDriver;c:\program files\symantec\norton antibot\agent\driver\AntiBotDriver.sys [2008-9-8 161304]
R3 SymantecAntiBotFilter;SymantecAntiBotFilter;c:\program files\symantec\norton antibot\agent\driver\AntiBotFilter.sys [2008-9-8 29720]
R3 SymantecAntiBotShim;SymantecAntiBotShim;c:\program files\symantec\norton antibot\agent\driver\AntiBotShim.sys [2008-9-8 27280]
S2 gupdate1c9f1dca162a76;Google Update Service (gupdate1c9f1dca162a76);c:\program files\google\update\GoogleUpdate.exe [2009-6-20 133104]
S2 SymantecAntiBotAgent;SymantecAntiBotAgent;c:\program files\symantec\norton antibot\agent\bin\NABAgent.exe [2008-9-8 4910104]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\richie\locals~1\temp\alsysio.sys --> c:\docume~1\richie\locals~1\temp\ALSysIO.sys [?]
S3 MapMem;MapMem;\??\j:\mapmem.sys --> j:\mapmem.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-23 33832]
S3 PhotoFrame;PhotoFrame_2.0 Device;c:\windows\system32\drivers\PhotoFrame.sys [2007-12-24 30464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-08-08 09:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 09:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 09:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-06 08:59 <DIR> --d----- c:\program files\Microsoft
2009-08-06 08:57 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-03 10:30 <DIR> --d----- c:\docume~1\richie\applic~1\Malwarebytes
2009-08-03 09:46 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-03 09:16 <DIR> a-dshr-- C:\cmdcons
2009-08-03 09:14 216,064 a------- c:\windows\PEV.exe
2009-08-03 09:14 161,792 a------- c:\windows\SWREG.exe
2009-08-03 09:14 98,816 a------- c:\windows\sed.exe
2009-08-03 08:53 <DIR> --d----- C:\AVGTemp
2009-08-03 08:04 <DIR> --dsh--- c:\documents and settings\richie\IECompatCache
2009-08-03 08:02 <DIR> --dsh--- c:\documents and settings\richie\PrivacIE
2009-08-03 08:00 <DIR> --dsh--- c:\documents and settings\richie\IETldCache
2009-08-03 07:55 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-03 07:55 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-03 07:55 <DIR> --d----- c:\windows\ie8updates
2009-08-03 07:55 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-03 07:54 <DIR> -cd-h--- c:\windows\ie8
2009-08-02 10:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-31 19:48 <DIR> --d----- c:\docume~1\richie\applic~1\Logs
2009-07-28 20:43 <DIR> --d----- c:\program files\Netflix
2009-07-17 22:44 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-08 20:31 2,272 a------- c:\windows\system32\w95inf16.dll
2009-06-08 20:31 4,608 a------- c:\windows\system32\w95inf32.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2007-12-30 10:39 774,144 a------- c:\program files\RngInterstitial.dll
2008-06-05 21:37 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060520080606\index.dat

============= FINISH: 16:38:24.42 ===============

Attached File  Attach.zip   4.33KB   1 downloads

Edited by RikCab, 09 August 2009 - 05:52 PM.


BC AdBot (Login to Remove)

 


#2 RikCab

RikCab
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:12 PM

Posted 11 August 2009 - 11:02 AM

I just wanted to mention an oddity I've noticed, my msn.com link in favorites keeps disappearing, I've saved it then, it's gone again! I'm not proceeding with anything else until told to do so. Though I do hope to understand this soon and rectify its problems!

thanks again,

Hello RikCab,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)



Thanks weatherman, I did just read about that while scanning another's post. I was going to make a note of it here, but you beat me to it, lol. I did try to edit my original post, I believe a second time it didn't seem that I could ? Still learning, thanks again...

Edited by RikCab, 12 August 2009 - 07:24 AM.


#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 19 August 2009 - 09:47 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Then, please run RootRepeal:

Download and run RootRepeal CR

Please download RootRepeal to your desktop
Alternative Download Link 2
Alternative Download Link 3
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Unzip it to it's own folder
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Report tab at the bottom.
  • Now click the Scan button in the Report Tab. Posted Image
  • A box will pop up, check the boxes beside ALL Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 23 August 2009 - 08:51 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 24 August 2009 - 11:15 AM

Re-opened upon user's request.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 RikCab

RikCab
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:12 PM

Posted 24 August 2009 - 06:43 PM

Thanks Extremeboy,

Just a couple of other wierd notes for you! I have also heard strange sounds, like music coming from my speakers. Though that was only once! I had read about that in other posts. Another strange one is that my MSN.COM link in favorites seemed to disappear from my favorites. Though it seems ok now? As I stated in my previous post I did everything I could I hope everything looks ok to you! I just wanted to thank you again for being out here!

Thanks, RikCab




DDS (Ver_09-07-30.01) - NTFSx86
Run by Richie at 15:52:15.45 on Sun 08/23/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.465 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SpeedFan\speedfan.exe
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\Documents and Settings\Richie\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Richie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1227789090&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D680107031&id=64855
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Upromise IE Toolbar: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cdloader] "c:\documents and settings\richie\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NortonAntiBot] "c:\program files\symantec\norton antibot\agent\bin\NortonAntiBot.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\richie\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} - hxxp://econetreports.ecolab.com/viewer9/activeXViewer/activexviewer.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196535412608
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://www.taxsimple.org/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://support.magicjack.com/jre-1_5_0_14-windows-i586-p.exe
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} - hxxp://fdl.msn.com/public/investor/v13/ticker.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5182/mcfscan.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by127fd.bay127.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richie\applic~1\mozilla\firefox\profiles\jo4cc0kk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://watch-movies-links.net/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-23 201320]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-23 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-23 144704]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 SymantecAntiBotWatcher;SymantecAntiBotWatcher;c:\program files\symantec\norton antibot\agent\bin\NABWatcher.exe [2008-9-8 539160]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-23 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-23 40488]
R3 SymantecAntiBotDriver;SymantecAntiBotDriver;c:\program files\symantec\norton antibot\agent\driver\AntiBotDriver.sys [2008-9-8 161304]
R3 SymantecAntiBotFilter;SymantecAntiBotFilter;c:\program files\symantec\norton antibot\agent\driver\AntiBotFilter.sys [2008-9-8 29720]
R3 SymantecAntiBotShim;SymantecAntiBotShim;c:\program files\symantec\norton antibot\agent\driver\AntiBotShim.sys [2008-9-8 27280]
S2 gupdate1c9f1dca162a76;Google Update Service (gupdate1c9f1dca162a76);c:\program files\google\update\GoogleUpdate.exe [2009-6-20 133104]
S2 SymantecAntiBotAgent;SymantecAntiBotAgent;c:\program files\symantec\norton antibot\agent\bin\NABAgent.exe [2008-9-8 4910104]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\richie\locals~1\temp\alsysio.sys --> c:\docume~1\richie\locals~1\temp\ALSysIO.sys [?]
S3 MapMem;MapMem;\??\j:\mapmem.sys --> j:\mapmem.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-23 33832]
S3 PhotoFrame;PhotoFrame_2.0 Device;c:\windows\system32\drivers\PhotoFrame.sys [2007-12-24 30464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-08-18 18:12 <DIR> --d----- c:\documents and settings\richie\AppData
2009-08-12 15:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:28 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll
2009-08-08 09:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 09:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 09:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-06 08:59 <DIR> --d----- c:\program files\Microsoft
2009-08-06 08:57 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 05:11 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 10:30 <DIR> --d----- c:\docume~1\richie\applic~1\Malwarebytes
2009-08-03 09:46 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-03 09:16 <DIR> a-dshr-- C:\cmdcons
2009-08-03 09:14 216,064 a------- c:\windows\PEV.exe
2009-08-03 09:14 161,792 a------- c:\windows\SWREG.exe
2009-08-03 09:14 98,816 a------- c:\windows\sed.exe
2009-08-03 08:53 <DIR> --d----- C:\AVGTemp
2009-08-03 08:04 <DIR> --dsh--- c:\documents and settings\richie\IECompatCache
2009-08-03 08:02 <DIR> --dsh--- c:\documents and settings\richie\PrivacIE
2009-08-03 08:00 <DIR> --dsh--- c:\documents and settings\richie\IETldCache
2009-08-03 07:55 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-03 07:55 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-03 07:55 <DIR> --d----- c:\windows\ie8updates
2009-08-03 07:55 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-03 07:54 <DIR> -cd-h--- c:\windows\ie8
2009-08-02 10:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-31 19:48 <DIR> --d----- c:\docume~1\richie\applic~1\Logs
2009-07-28 20:43 <DIR> --d----- c:\program files\Netflix

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 02:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-08 20:31 2,272 a------- c:\windows\system32\w95inf16.dll
2009-06-08 20:31 4,608 a------- c:\windows\system32\w95inf32.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2007-12-30 10:39 774,144 a------- c:\program files\RngInterstitial.dll
2008-06-05 21:37 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060520080606\index.dat

============= FINISH: 15:52:55.81 ===============




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/23 15:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF51E9000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A8D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7AF8000 Size: 1664 File Visible: No Signed: -
Status: -

Name: PCI_PNP8634
Image Path: \Driver\PCI_PNP8634
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB97B3000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF7A33000 Size: 5248 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwh.sys
Image Path: spwh.sys
Address: 0xF7411000 Size: 1036288 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\mcmsc_szv2puflae6dkic
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys" at address 0xf78c08a0

#: 041 Function Name: NtCreateKey
Status: Hooked by "spwh.sys" at address 0xf74120e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spwh.sys" at address 0xf742fca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spwh.sys" at address 0xf7430030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spwh.sys" at address 0xf74120c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys" at address 0xf78c08d0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spwh.sys" at address 0xf7430108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spwh.sys" at address 0xf742ff88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spwh.sys" at address 0xf743019a

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys" at address 0xf78c0980

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys" at address 0xf78c0a20

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys" at address 0xf78c0ac0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x86f6c1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x86b80500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86e001f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x86f6d1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x86f6d1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f6d1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f6d1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x86f6d1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f6d1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x86f6d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86df8500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86df8500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86df8500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86df8500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86df8500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86df8500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86df8500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x86859500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x86859500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x86859500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x86859500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86859500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86859500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x86859500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86859500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x86859500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x86df7500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x86df7500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86df7500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86df7500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x86df7500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86df7500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x86df7500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x86fdb1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x869671f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x869671f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869671f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x869671f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x869671f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x869671f8 Size: 121

Object: Hidden Code [Driver: azwnc7bsЅ獕浴Ёఇ浍浓匨蘨Ā, IRP_MJ_CREATE]
Process: System Address: 0x86da51f8 Size: 121

Object: Hidden Code [Driver: azwnc7bsЅ獕浴Ёఇ浍浓匨蘨Ā, IRP_MJ_CLOSE]
Process: System Address: 0x86da51f8 Size: 121

Object: Hidden Code [Driver: azwnc7bsЅ獕浴Ёఇ浍浓匨蘨Ā, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86da51f8 Size: 121

Object: Hidden Code [Driver: azwnc7bsЅ獕浴Ёఇ浍浓匨蘨Ā, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86da51f8 Size: 121

Object: Hidden Code [Driver: azwnc7bsЅ獕浴Ёఇ浍浓匨蘨Ā, IRP_MJ_POWER]
Process: System Address: 0x86da51f8 Size: 121

Object: Hidden Code [Driver: azwnc7bsЅ獕浴Ёఇ浍浓匨蘨Ā, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86da51f8 Size: 121

Object: Hidden Code [Driver: azwnc7bsЅ獕浴Ёఇ浍浓匨蘨Ā, IRP_MJ_PNP]
Process: System Address: 0x86da51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x868651f8 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_CREATE]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_CLOSE]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_READ]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_CLEANUP]
Process: System Address: 0x86b92500 Size: 121

Object: Hidden Code [Driver: Mc, IRP_MJ_PNP]
Process: System Address: 0x86b92500 Size: 121

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys" at address 0xf78c0440

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys" at address 0xf78c03b0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys" at address 0xf78c03f0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys" at address 0xf78c0330

==EOF==

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 25 August 2009 - 09:57 AM

Hello.

You ran Combofix before, so Yes, I would like to see the Combofix log. Please attach it in this reply in your next reply.

--

The logs looks fine however. Let's run an online can and see what's left.

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 RikCab

RikCab
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:12 PM

Posted 26 August 2009 - 08:12 AM

Hi EB,

I got the ComboFix log and as for the ESET OnlineScan it came back with nothing found! I didn't see any link to click on saying "List of found threats," so I was not able to export to a text file. Well I hope that is a good sign, or maybe I did something wrong? I ran it twice and it came back with nothing!
thanks, rik

log


ComboFix 09-08-25.04 - Richie 08/26/2009 8:41.9.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.657 [GMT -4:00]
Running from: c:\documents and settings\Richie\Desktop\ComboFix1.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
PEV Error: CacheFolder

((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-26 11:37 . 2009-08-01 16:16 6256600 ---ha-w- c:\documents and settings\Richie\Application Data\mjusbsp\in00000\setup.exe
2009-08-26 11:37 . 2009-08-01 16:12 728600 ---ha-w- c:\documents and settings\Richie\Application Data\mjusbsp\ar00000\install.exe
2009-08-26 11:37 . 2008-02-29 12:42 386496 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ar00000\magicJackSplash.exe
2009-08-25 21:14 . 2009-08-25 21:14 -------- d-----w- c:\program files\ESET
2009-08-25 11:59 . 1998-04-24 23:08 368912 ----a-w- c:\windows\system32\vbar332.dll
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\Richie\Local Settings\Application Data\temp
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\Richie\AppData
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\temp
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\NetworkService\AppData
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\temp
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\LocalService\AppData
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\Administrator\AppData
2009-08-12 19:28 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-08 13:01 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 13:00 . 2009-08-08 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-08 13:00 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-06 12:59 . 2009-08-06 12:59 -------- d-----w- c:\program files\Microsoft
2009-08-06 12:57 . 2009-08-06 12:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-06 12:56 . 2009-08-06 12:56 152576 ----a-w- c:\documents and settings\Richie\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 14:30 . 2009-08-03 14:30 -------- d-----w- c:\documents and settings\Richie\Application Data\Malwarebytes
2009-08-03 12:56 . 2009-08-03 12:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-03 12:53 . 2009-08-03 12:53 -------- d-----w- C:\AVGTemp
2009-08-03 12:04 . 2009-08-03 12:04 -------- d-sh--w- c:\documents and settings\Richie\IECompatCache
2009-08-03 12:02 . 2009-08-03 12:02 -------- d-sh--w- c:\documents and settings\Richie\PrivacIE
2009-08-03 12:00 . 2009-08-03 12:00 -------- d-sh--w- c:\documents and settings\Richie\IETldCache
2009-08-03 12:00 . 2009-08-03 12:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-03 11:55 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-03 11:55 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-03 11:55 . 2009-08-03 11:55 -------- d-----w- c:\windows\ie8updates
2009-08-03 11:55 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-03 11:54 . 2009-08-03 11:54 -------- dc-h--w- c:\windows\ie8
2009-08-02 14:25 . 2009-08-03 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-02 14:09 . 2009-08-18 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 00:34 . 2009-08-01 16:16 6256600 ---ha-w- c:\documents and settings\Richie\Application Data\mjusbsp\Upgrade\setup2.exe
2009-08-02 00:34 . 2009-08-01 16:12 728600 ---ha-w- c:\documents and settings\Richie\Application Data\mjusbsp\Upgrade\install2.exe
2009-08-01 16:16 . 2009-08-01 16:16 95576 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ug00000\magicJack.dll
2009-08-01 16:16 . 2009-08-01 16:16 6256600 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ug00000\setup.exe
2009-08-01 16:16 . 2009-08-01 16:16 413304 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\magicJackLoader.exe
2009-08-01 16:16 . 2009-08-01 16:16 480608 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\octvqe1_apiw.dll
2009-08-01 16:16 . 2009-08-01 16:16 214360 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\TjVista.dll
2009-08-01 16:16 . 2009-08-01 16:16 325040 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\TjIpSys.dll
2009-08-01 16:16 . 2009-08-01 16:16 570736 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\SJHandsetMagicJack.dll
2009-08-01 16:15 . 2009-08-01 16:15 87384 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\st00000\mjsetup.exe
2009-08-01 16:15 . 2009-08-01 16:15 95576 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\st00000\magicJack.dll
2009-08-01 16:15 . 2009-08-01 16:15 95576 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\magicJack.dll
2009-08-01 16:13 . 2009-08-01 16:13 12231512 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\magicJack.exe
2009-08-01 16:12 . 2009-08-01 16:12 728600 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ug00000\install.exe
2009-08-01 16:12 . 2009-08-01 16:12 87384 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\in00000\mjsetup.exe
2009-08-01 16:12 . 2009-08-01 16:12 95576 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\in00000\magicJack.dll
2009-08-01 16:11 . 2009-08-01 16:11 441704 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-08-01 16:11 . 2009-08-01 16:11 441704 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-08-01 16:11 . 2009-08-01 16:11 441704 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\magicJackSplash.exe
2009-08-01 16:11 . 2009-08-01 16:11 441704 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-08-01 16:11 . 2009-08-01 16:11 50520 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\cdloader2.exe
2009-07-31 23:48 . 2009-07-31 23:48 -------- d-----w- c:\documents and settings\Richie\Application Data\Logs
2009-07-29 00:43 . 2009-07-29 00:43 -------- d-----w- c:\program files\Netflix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 11:38 . 2008-04-29 18:44 -------- d-----w- c:\documents and settings\Richie\Application Data\mjusbsp
2009-08-26 11:37 . 2007-12-13 21:36 -------- d-----w- c:\program files\SpeedFan
2009-08-22 19:54 . 2008-10-10 11:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-18 17:16 . 2008-02-14 13:01 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-10 12:27 . 2007-12-23 17:28 -------- d-----w- c:\program files\Microsoft Picture It! PhotoPub
2009-08-07 15:54 . 2009-04-12 21:53 -------- d-----w- c:\documents and settings\Richie\Application Data\HPAppData
2009-08-06 13:09 . 2008-04-29 18:48 -------- d-----w- c:\program files\Java
2009-08-05 09:11 . 2007-12-01 19:22 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 22:29 . 2008-02-19 23:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-02 14:28 . 2007-12-30 14:38 -------- d-----w- c:\program files\Google
2009-08-01 12:25 . 2008-03-08 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-18 02:44 . 2009-07-18 02:44 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-18 02:44 . 2007-12-02 09:47 -------- d-----w- c:\program files\Common Files\Real
2009-07-17 18:55 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-09 12:39 . 2009-05-07 01:21 -------- d-----w- c:\program files\Coupons
2009-07-03 17:09 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2001-08-23 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2001-08-23 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2008-06-05 15:05 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-09 00:31 . 2009-06-09 00:31 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-06-09 00:31 . 2009-06-09 00:31 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-06-05 07:42 . 2007-11-28 18:47 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2007-12-01 19:22 1290752 ----a-w- c:\windows\system32\quartz.dll
2007-12-30 14:39 . 2007-12-30 14:39 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2004-08-04 07:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2004-08-04 07:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\dllcache\cache\sfcfiles.dll

c:\windows\system32\sfcfiles.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2009-08-18_21.41.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-28 18:52 . 2009-08-26 11:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-28 18:52 . 2009-08-18 19:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-28 18:52 . 2009-08-26 11:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-28 18:52 . 2009-08-18 19:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-28 18:52 . 2009-08-26 11:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-11-28 18:52 . 2009-08-18 19:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-11 16:38 . 2007-12-11 16:38 262144 c:\windows\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Richie\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NortonAntiBot"="c:\program files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" [2008-09-08 1378840]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

c:\documents and settings\Richie\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2007-9-17 2902528]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON SMART PANEL for Scanner.lnk]
backup=c:\windows\pss\EPSON SMART PANEL for Scanner.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
backup=c:\windows\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Richie^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Richie^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Richie\\Application Data\\mjusbsp\\magicJack.exe"=

R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [11/27/1998 11:57 PM 6144]
S2 gupdate1c9f1dca162a76;Google Update Service (gupdate1c9f1dca162a76);c:\program files\Google\Update\GoogleUpdate.exe [6/20/2009 3:19 PM 133104]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Richie\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Richie\LOCALS~1\Temp\ALSysIO.sys [?]
S3 MapMem;MapMem;\??\j:\mapmem.sys --> j:\mapmem.sys [?]
S3 PhotoFrame;PhotoFrame_2.0 Device;c:\windows\system32\drivers\PhotoFrame.sys [12/24/2007 3:20 AM 30464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-20 19:19]

2009-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-20 19:19]

2008-08-23 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-23 17:32]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-23 17:32]

2009-08-26 c:\windows\Tasks\User_Feed_Synchronization-{B51A3D1F-94E9-495B-B582-BD1A2A98ABED}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1227789090&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D680107031&id=64855
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Richie\Application Data\Mozilla\Firefox\Profiles\jo4cc0kk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://watch-movies-links.net/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 08:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1664)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-26 8:50
ComboFix-quarantined-files.txt 2009-08-26 12:50
ComboFix2.txt 2009-08-18 22:12
ComboFix3.txt 2009-08-08 15:27
ComboFix4.txt 2009-08-08 12:59
ComboFix5.txt 2009-08-26 12:40

Pre-Run: 32,797,921,280 bytes free
Post-Run: 32,891,203,584 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
258 --- E O F --- 2009-08-13 05:13

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 26 August 2009 - 10:20 AM

Hello.

Overall looks good, just a few things we can take care of.



Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Driver::
    MapMem
    ALSysIO
    Viewpoint Manager Service
    File::
    c:\docume~1\Richie\LOCALS~1\Temp\ALSysIO.sys
    Folder::
    c:\program files\Viewpoint
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    FCopy::
    c:\windows\ServicePackFiles\i386\sfcfiles.dll | c:\windows\system32\sfcfiles.dll
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Take a new DDS run for my review and post back with the two logs.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 RikCab

RikCab
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:12 PM

Posted 26 August 2009 - 11:22 AM

Hi EB,

Here are the files, I wasn't sure if you also wanted the attach.zip file so I am including it. Thanks....


ComboFix1


ComboFix 09-08-02.04 - Richie 08/03/2009 9:28.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.586 [GMT -4:00]
Running from: c:\documents and settings\Richie\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\12c51e.msp
c:\windows\Installer\12c51f.msp
c:\windows\Installer\12c520.msp
c:\windows\Installer\12c521.msp
c:\windows\Installer\12c522.msp
c:\windows\Installer\12c523.msp
c:\windows\Installer\12c524.msp
c:\windows\Installer\12c525.msp
c:\windows\Installer\12c526.msp
c:\windows\Installer\1557b0.msp
c:\windows\Installer\1557b1.msp
c:\windows\Installer\1557b2.msp
c:\windows\Installer\1557b3.msp
c:\windows\Installer\1557b4.msp
c:\windows\Installer\1557b5.msp
c:\windows\Installer\1557b6.msp
c:\windows\Installer\1557b7.msp
c:\windows\Installer\1557b8.msp
c:\windows\Installer\20a9a3.msp
c:\windows\Installer\20a9a4.msp
c:\windows\Installer\20a9a5.msp
c:\windows\Installer\20a9a6.msp
c:\windows\Installer\20a9a7.msp
c:\windows\Installer\20a9a8.msp
c:\windows\Installer\20a9a9.msp
c:\windows\Installer\20a9aa.msp
c:\windows\Installer\20a9ab.msp
c:\windows\Installer\20db61.msp
c:\windows\Installer\20db62.msp
c:\windows\Installer\20db63.msp
c:\windows\Installer\20db64.msp
c:\windows\Installer\20db65.msp
c:\windows\Installer\20db66.msp
c:\windows\Installer\20db67.msp
c:\windows\Installer\20db68.msp
c:\windows\Installer\20db69.msp
c:\windows\Installer\303fa0.msp
c:\windows\Installer\303fa1.msp
c:\windows\Installer\303fa2.msp
c:\windows\Installer\303fa3.msp
c:\windows\Installer\303fa4.msp
c:\windows\Installer\303fa5.msp
c:\windows\Installer\303fa6.msp
c:\windows\Installer\303fa7.msp
c:\windows\Installer\303fa8.msp
c:\windows\Installer\35a046.msp
c:\windows\Installer\35a047.msp
c:\windows\Installer\35a048.msp
c:\windows\Installer\35a049.msp
c:\windows\Installer\35a04a.msp
c:\windows\Installer\35a04b.msp
c:\windows\Installer\35a04c.msp
c:\windows\Installer\35a04d.msp
c:\windows\Installer\35a04e.msp
c:\windows\Installer\36e3d.msp
c:\windows\Installer\36e3e.msp
c:\windows\Installer\36e3f.msp
c:\windows\Installer\36e40.msp
c:\windows\Installer\36e41.msp
c:\windows\Installer\36e42.msp
c:\windows\Installer\36e43.msp
c:\windows\Installer\36e44.msp
c:\windows\Installer\36e45.msp
c:\windows\Installer\36f94.msp
c:\windows\Installer\36f95.msp
c:\windows\Installer\36f96.msp
c:\windows\Installer\36f97.msp
c:\windows\Installer\36f98.msp
c:\windows\Installer\36f99.msp
c:\windows\Installer\36f9a.msp
c:\windows\Installer\36f9b.msp
c:\windows\Installer\36f9c.msp
c:\windows\Installer\3dd0ef.msp
c:\windows\Installer\3dd0f0.msp
c:\windows\Installer\3dd0f1.msp
c:\windows\Installer\3dd0f2.msp
c:\windows\Installer\3dd0f3.msp
c:\windows\Installer\3dd0f4.msp
c:\windows\Installer\3dd0f5.msp
c:\windows\Installer\3dd0f6.msp
c:\windows\Installer\3dd0f7.msp
c:\windows\Installer\44dd75.msp
c:\windows\Installer\44dd76.msp
c:\windows\Installer\44dd77.msp
c:\windows\Installer\44dd78.msp
c:\windows\Installer\44dd79.msp
c:\windows\Installer\44dd7a.msp
c:\windows\Installer\44dd7b.msp
c:\windows\Installer\44dd7c.msp
c:\windows\Installer\44dd7d.msp
c:\windows\Installer\574450.msp
c:\windows\Installer\59df6e.msp
c:\windows\Installer\59df6f.msp
c:\windows\Installer\59df70.msp
c:\windows\Installer\59df71.msp
c:\windows\Installer\59df72.msp
c:\windows\Installer\59df73.msp
c:\windows\Installer\59df74.msp
c:\windows\Installer\59df75.msp
c:\windows\Installer\59df76.msp
c:\windows\Installer\63b601.msp
c:\windows\Installer\63b602.msp
c:\windows\Installer\63b603.msp
c:\windows\Installer\63b604.msp
c:\windows\Installer\63b605.msp
c:\windows\Installer\63b606.msp
c:\windows\Installer\63b607.msp
c:\windows\Installer\63b608.msp
c:\windows\Installer\63b609.msp
c:\windows\Installer\6431d8.msp
c:\windows\Installer\6431d9.msp
c:\windows\Installer\6431da.msp
c:\windows\Installer\6431db.msp
c:\windows\Installer\6431dc.msp
c:\windows\Installer\6431dd.msp
c:\windows\Installer\6431de.msp
c:\windows\Installer\6431df.msp
c:\windows\Installer\6431e0.msp
c:\windows\Installer\780f7a.msp
c:\windows\Installer\780f7b.msp
c:\windows\Installer\780f7c.msp
c:\windows\Installer\780f7d.msp
c:\windows\Installer\780f7e.msp
c:\windows\Installer\780f7f.msp
c:\windows\Installer\780f80.msp
c:\windows\Installer\780f81.msp
c:\windows\Installer\780f82.msp
c:\windows\Installer\9892a.msp
c:\windows\Installer\9892b.msp
c:\windows\Installer\9892c.msp
c:\windows\Installer\9892d.msp
c:\windows\Installer\9892e.msp
c:\windows\Installer\9892f.msp
c:\windows\Installer\98930.msp
c:\windows\Installer\98931.msp
c:\windows\Installer\98932.msp
c:\windows\Installer\a2c6a.msp
c:\windows\Installer\a2fdda.msi
c:\windows\Installer\b14351.msp
c:\windows\Installer\b341d6.msp
c:\windows\Installer\b357fd.msp
c:\windows\Installer\b357fe.msp
c:\windows\Installer\b357ff.msp
c:\windows\Installer\b35800.msp
c:\windows\Installer\b35801.msp
c:\windows\Installer\b35802.msp
c:\windows\Installer\b35803.msp
c:\windows\Installer\b35804.msp
c:\windows\Installer\b35805.msp
c:\windows\Installer\b4d31.msp
c:\windows\Installer\b4d32.msp
c:\windows\Installer\b4d33.msp
c:\windows\Installer\b4d34.msp
c:\windows\Installer\b4d35.msp
c:\windows\Installer\b4d36.msp
c:\windows\Installer\b4d37.msp
c:\windows\Installer\b4d38.msp
c:\windows\Installer\b4d39.msp
c:\windows\Installer\d44ea.msp
c:\windows\Installer\d44eb.msp
c:\windows\Installer\d44ec.msp
c:\windows\Installer\d44ed.msp
c:\windows\Installer\d44ee.msp
c:\windows\Installer\d44ef.msp
c:\windows\Installer\d44f0.msp
c:\windows\Installer\d44f1.msp
c:\windows\Installer\d44f2.msp
c:\windows\system32\drivers\UACcdovmpxjng.sys
c:\windows\system32\UACcmodqcmcwq.dll
c:\windows\system32\UACdwupqlxmdt.db
c:\windows\system32\UACiltiqkdqxi.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACioyxltoqol.dll
c:\windows\system32\UACoxubgrvdyx.dll
c:\windows\system32\UACywhoppjnbg.dll
c:\windows\system32\UACyxybtamisk.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-08-03 12:56 . 2009-08-03 12:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-03 12:53 . 2009-08-03 12:53 -------- d-----w- C:\AVGTemp
2009-08-03 12:04 . 2009-08-03 12:04 -------- d-sh--w- c:\documents and settings\Richie\IECompatCache
2009-08-03 12:02 . 2009-08-03 12:02 -------- d-sh--w- c:\documents and settings\Richie\PrivacIE
2009-08-03 12:00 . 2009-08-03 12:00 -------- d-sh--w- c:\documents and settings\Richie\IETldCache
2009-08-03 12:00 . 2009-08-03 12:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-03 11:55 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-03 11:55 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-03 11:55 . 2009-08-03 11:55 -------- d-----w- c:\windows\ie8updates
2009-08-03 11:55 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-03 11:54 . 2009-08-03 11:54 -------- dc-h--w- c:\windows\ie8
2009-08-02 23:09 . 2009-08-02 23:09 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-08-02 16:07 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-02 14:28 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-02 14:25 . 2009-08-02 14:25 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-02 14:25 . 2009-08-02 14:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-08-02 14:25 . 2009-08-02 14:25 -------- d-----w- c:\program files\Lavasoft
2009-08-02 14:09 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 14:09 . 2009-08-02 14:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 14:09 . 2009-08-02 14:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-02 14:09 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 23:48 . 2009-07-31 23:48 -------- d-----w- c:\documents and settings\Richie\Application Data\Logs
2009-07-29 00:43 . 2009-07-29 00:43 -------- d-----w- c:\program files\Netflix
2009-07-18 23:51 . 2009-07-18 23:51 -------- d-----w- c:\documents and settings\Richie\Local Settings\Application Data\Temp
2009-07-18 02:44 . 2009-07-18 02:44 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-09 12:39 . 2009-07-09 12:39 -------- d-----w- c:\windows\Cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 13:43 . 2008-04-29 18:44 -------- d-----w- c:\documents and settings\Richie\Application Data\mjusbsp
2009-08-03 13:41 . 2008-10-10 11:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-03 13:41 . 2007-12-13 21:36 -------- d-----w- c:\program files\SpeedFan
2009-08-02 14:28 . 2007-12-30 14:38 -------- d-----w- c:\program files\Google
2009-08-01 12:25 . 2008-03-08 19:17 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-07-30 16:06 . 2009-04-12 21:53 -------- d-----w- c:\documents and settings\Richie\Application Data\HPAppData
2009-07-18 02:44 . 2007-12-02 09:47 -------- d-----w- c:\program files\Common Files\Real
2009-07-16 13:24 . 2007-12-23 17:28 -------- d-----w- c:\program files\Microsoft Picture It! PhotoPub
2009-07-09 12:39 . 2009-05-07 01:21 -------- d-----w- c:\program files\Coupons
2009-07-03 17:09 . 2001-08-23 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-20 19:21 . 2008-06-07 17:21 -------- d-----w- c:\program files\DivX
2009-06-20 19:20 . 2009-06-20 19:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-09 00:35 . 2009-06-09 00:35 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\CyberLink
2009-06-09 00:35 . 2009-06-09 00:34 -------- d-----w- c:\program files\CyberLink
2009-06-09 00:34 . 2007-12-16 16:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-09 00:31 . 2009-06-09 00:31 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-06-09 00:31 . 2009-06-09 00:31 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-05-07 15:44 . 2008-06-05 15:06 344064 ----a-w- c:\windows\system32\localspl.dll
2007-12-30 14:39 . 2007-12-30 14:39 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-05-24 04:06 . 2009-01-10 04:09 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"cdloader"="c:\documents and settings\Richie\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

c:\documents and settings\Richie\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2007-9-17 2902528]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON SMART PANEL for Scanner.lnk]
backup=c:\windows\pss\EPSON SMART PANEL for Scanner.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
backup=c:\windows\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Richie^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Richie^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Richie^Start Menu^Programs^Startup^SpeedFan.lnk]
path=c:\documents and settings\Richie\Start Menu\Programs\Startup\SpeedFan.lnk
backup=c:\windows\pss\SpeedFan.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Custom Uninstall Tracking
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_UninstallTracking

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Richie\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/2/2009 10:28 AM 64160]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [11/27/1998 11:57 PM 6144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S2 gupdate1c9f1dca162a76;Google Update Service (gupdate1c9f1dca162a76);c:\program files\Google\Update\GoogleUpdate.exe [6/20/2009 3:19 PM 133104]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Richie\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Richie\LOCALS~1\Temp\ALSysIO.sys [?]
S3 MapMem;MapMem;\??\j:\mapmem.sys --> j:\mapmem.sys [?]
S3 PhotoFrame;PhotoFrame_2.0 Device;c:\windows\system32\drivers\PhotoFrame.sys [12/24/2007 3:20 AM 30464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1227789090&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D680107031&id=64855
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
FF - ProfilePath - c:\docume~1\Richie\APPLIC~1\Mozilla\Firefox\Profiles\jo4cc0kk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://watch-movies-links.net/
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJPI150_14.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 09:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3416)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\pctspk.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\McAfee.com\Agent\mcagent.exe
c:\program files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-08-03 9:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 13:48

Pre-Run: 32,710,180,864 bytes free
Post-Run: 32,599,416,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
422 --- E O F --- 2009-08-03 11:56





DDS


DDS (Ver_09-07-30.01) - NTFSx86
Run by Richie at 12:22:20.70 on Wed 08/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.474 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NABMonitor.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Richie\Application Data\mjusbsp\st00000\mjsetup.exe
C:\Documents and Settings\Richie\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Richie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1227789090&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D680107031&id=64855
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Upromise IE Toolbar: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cdloader] "c:\documents and settings\richie\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NortonAntiBot] "c:\program files\symantec\norton antibot\agent\bin\NortonAntiBot.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\richie\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} - hxxp://econetreports.ecolab.com/viewer9/activeXViewer/activexviewer.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196535412608
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://www.taxsimple.org/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://support.magicjack.com/jre-1_5_0_14-windows-i586-p.exe
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} - hxxp://fdl.msn.com/public/investor/v13/ticker.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5182/mcfscan.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by127fd.bay127.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richie\applic~1\mozilla\firefox\profiles\jo4cc0kk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://watch-movies-links.net/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-23 201320]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-23 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-23 144704]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 SymantecAntiBotAgent;SymantecAntiBotAgent;c:\program files\symantec\norton antibot\agent\bin\NABAgent.exe [2008-9-8 4910104]
R2 SymantecAntiBotWatcher;SymantecAntiBotWatcher;c:\program files\symantec\norton antibot\agent\bin\NABWatcher.exe [2008-9-8 539160]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-23 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-23 40488]
R3 SymantecAntiBotDriver;SymantecAntiBotDriver;c:\program files\symantec\norton antibot\agent\driver\AntiBotDriver.sys [2008-9-8 161304]
R3 SymantecAntiBotFilter;SymantecAntiBotFilter;c:\program files\symantec\norton antibot\agent\driver\AntiBotFilter.sys [2008-9-8 29720]
R3 SymantecAntiBotShim;SymantecAntiBotShim;c:\program files\symantec\norton antibot\agent\driver\AntiBotShim.sys [2008-9-8 27280]
S2 gupdate1c9f1dca162a76;Google Update Service (gupdate1c9f1dca162a76);c:\program files\google\update\GoogleUpdate.exe [2009-6-20 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-23 33832]
S3 PhotoFrame;PhotoFrame_2.0 Device;c:\windows\system32\drivers\PhotoFrame.sys [2007-12-24 30464]

=============== Created Last 30 ================

2009-08-26 11:41 1,580,544 -------- c:\windows\system32\sfcfiles.dll
2009-08-25 17:14 <DIR> --d----- c:\program files\ESET
2009-08-25 07:59 368,912 a------- c:\windows\system32\vbar332.dll
2009-08-25 07:59 140,288 a------- c:\windows\system32\COMDLG32.OCX
2009-08-18 18:12 <DIR> --d----- c:\documents and settings\richie\AppData
2009-08-12 15:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:28 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll
2009-08-08 09:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 09:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 09:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-06 08:59 <DIR> --d----- c:\program files\Microsoft
2009-08-06 08:57 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 05:11 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 10:30 <DIR> --d----- c:\docume~1\richie\applic~1\Malwarebytes
2009-08-03 09:46 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-03 09:16 <DIR> a-dshr-- C:\cmdcons
2009-08-03 09:14 229,376 a------- c:\windows\PEV.exe
2009-08-03 09:14 161,792 a------- c:\windows\SWREG.exe
2009-08-03 09:14 98,816 a------- c:\windows\sed.exe
2009-08-03 08:53 <DIR> --d----- C:\AVGTemp
2009-08-03 08:04 <DIR> --dsh--- c:\documents and settings\richie\IECompatCache
2009-08-03 08:02 <DIR> --dsh--- c:\documents and settings\richie\PrivacIE
2009-08-03 08:00 <DIR> --dsh--- c:\documents and settings\richie\IETldCache
2009-08-03 07:55 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-03 07:55 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-03 07:55 <DIR> --d----- c:\windows\ie8updates
2009-08-03 07:55 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-03 07:54 <DIR> -cd-h--- c:\windows\ie8
2009-08-02 10:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-31 19:48 <DIR> --d----- c:\docume~1\richie\applic~1\Logs
2009-07-28 20:43 <DIR> --d----- c:\program files\Netflix

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 02:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-08 20:31 2,272 a------- c:\windows\system32\w95inf16.dll
2009-06-08 20:31 4,608 a------- c:\windows\system32\w95inf32.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2007-12-30 10:39 774,144 a------- c:\program files\RngInterstitial.dll
2008-06-05 21:37 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060520080606\index.dat

============= FINISH: 12:23:14.46 ===============

Attached Files



#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 26 August 2009 - 12:42 PM

Hello.

That's not the correct Combofix log... Did you run CFScript
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 RikCab

RikCab
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:12 PM

Posted 26 August 2009 - 05:05 PM

Hey EB,

I did as you asked. I copied the info in the box as CFScript.txt and saved it to my desktop with Combofix. I had originally saved the ComboFix file on my desktop as ComboFix1. Also, on dropping the CFScript.txt file on top of The ComboFix file, it started and said there was a newer version of ComboFix and if I wanted to update. I said yes and it did its thing.
So I reneamed the file back to ComboFix and I recopied the file CFScript.txt to my desktop and redid as you asked. This is the file it saved.
Thanks Again,
P.s.
If I am doing something wrong, please explain again.




ComboFix 09-08-26.05 - Richie 08/26/2009 17:53.12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.514 [GMT -4:00]
Running from: c:\documents and settings\Richie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Richie\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

FILE ::
"c:\docume~1\Richie\LOCALS~1\Temp\ALSysIO.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-26 16:18 . 2009-08-01 16:16 6256600 ---ha-w- c:\documents and settings\Richie\Application Data\mjusbsp\in00000\setup.exe
2009-08-26 16:18 . 2009-08-01 16:12 728600 ---ha-w- c:\documents and settings\Richie\Application Data\mjusbsp\ar00000\install.exe
2009-08-26 16:18 . 2008-02-29 12:42 386496 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ar00000\magicJackSplash.exe
2009-08-26 15:41 . 2004-08-04 07:56 1580544 -c--a-w- c:\windows\system32\dllcache\sfcfiles.dll
2009-08-26 15:41 . 2004-08-04 07:56 1580544 ----a-w- c:\windows\system32\sfcfiles.dll
2009-08-25 21:14 . 2009-08-25 21:14 -------- d-----w- c:\program files\ESET
2009-08-25 11:59 . 1998-04-24 23:08 368912 ----a-w- c:\windows\system32\vbar332.dll
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\Richie\Local Settings\Application Data\temp
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\Richie\AppData
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\temp
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\NetworkService\AppData
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\temp
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\LocalService\AppData
2009-08-18 22:12 . 2009-08-18 22:12 -------- d-----w- c:\documents and settings\Administrator\AppData
2009-08-12 19:28 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-08 13:01 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 13:00 . 2009-08-08 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-08 13:00 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-06 12:59 . 2009-08-06 12:59 -------- d-----w- c:\program files\Microsoft
2009-08-06 12:57 . 2009-08-06 12:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-06 12:56 . 2009-08-06 12:56 152576 ----a-w- c:\documents and settings\Richie\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 14:30 . 2009-08-03 14:30 -------- d-----w- c:\documents and settings\Richie\Application Data\Malwarebytes
2009-08-03 12:56 . 2009-08-03 12:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-03 12:53 . 2009-08-03 12:53 -------- d-----w- C:\AVGTemp
2009-08-03 12:04 . 2009-08-03 12:04 -------- d-sh--w- c:\documents and settings\Richie\IECompatCache
2009-08-03 12:02 . 2009-08-03 12:02 -------- d-sh--w- c:\documents and settings\Richie\PrivacIE
2009-08-03 12:00 . 2009-08-03 12:00 -------- d-sh--w- c:\documents and settings\Richie\IETldCache
2009-08-03 12:00 . 2009-08-03 12:00 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-03 11:55 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-03 11:55 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-03 11:55 . 2009-08-03 11:55 -------- d-----w- c:\windows\ie8updates
2009-08-03 11:55 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-03 11:54 . 2009-08-03 11:54 -------- dc-h--w- c:\windows\ie8
2009-08-02 14:25 . 2009-08-03 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-02 14:09 . 2009-08-18 19:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 00:34 . 2009-08-01 16:16 6256600 ---ha-w- c:\documents and settings\Richie\Application Data\mjusbsp\Upgrade\setup2.exe
2009-08-02 00:34 . 2009-08-01 16:12 728600 ---ha-w- c:\documents and settings\Richie\Application Data\mjusbsp\Upgrade\install2.exe
2009-08-01 16:16 . 2009-08-01 16:16 95576 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ug00000\magicJack.dll
2009-08-01 16:16 . 2009-08-01 16:16 6256600 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ug00000\setup.exe
2009-08-01 16:16 . 2009-08-01 16:16 413304 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\magicJackLoader.exe
2009-08-01 16:16 . 2009-08-01 16:16 480608 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\octvqe1_apiw.dll
2009-08-01 16:16 . 2009-08-01 16:16 214360 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\TjVista.dll
2009-08-01 16:16 . 2009-08-01 16:16 325040 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\TjIpSys.dll
2009-08-01 16:16 . 2009-08-01 16:16 570736 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\SJHandsetMagicJack.dll
2009-08-01 16:15 . 2009-08-01 16:15 87384 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\st00000\mjsetup.exe
2009-08-01 16:15 . 2009-08-01 16:15 95576 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\st00000\magicJack.dll
2009-08-01 16:15 . 2009-08-01 16:15 95576 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\magicJack.dll
2009-08-01 16:13 . 2009-08-01 16:13 12231512 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\magicJack.exe
2009-08-01 16:12 . 2009-08-01 16:12 728600 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ug00000\install.exe
2009-08-01 16:12 . 2009-08-01 16:12 87384 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\in00000\mjsetup.exe
2009-08-01 16:12 . 2009-08-01 16:12 95576 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\in00000\magicJack.dll
2009-08-01 16:11 . 2009-08-01 16:11 441704 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-08-01 16:11 . 2009-08-01 16:11 441704 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-08-01 16:11 . 2009-08-01 16:11 441704 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\magicJackSplash.exe
2009-08-01 16:11 . 2009-08-01 16:11 441704 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-08-01 16:11 . 2009-08-01 16:11 50520 ----a-w- c:\documents and settings\Richie\Application Data\mjusbsp\cdloader2.exe
2009-07-31 23:48 . 2009-07-31 23:48 -------- d-----w- c:\documents and settings\Richie\Application Data\Logs
2009-07-29 00:43 . 2009-07-29 00:43 -------- d-----w- c:\program files\Netflix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 16:19 . 2008-04-29 18:44 -------- d-----w- c:\documents and settings\Richie\Application Data\mjusbsp
2009-08-26 15:49 . 2007-12-13 21:36 -------- d-----w- c:\program files\SpeedFan
2009-08-26 15:49 . 2008-10-10 11:31 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-18 17:16 . 2008-02-14 13:01 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-10 12:27 . 2007-12-23 17:28 -------- d-----w- c:\program files\Microsoft Picture It! PhotoPub
2009-08-07 15:54 . 2009-04-12 21:53 -------- d-----w- c:\documents and settings\Richie\Application Data\HPAppData
2009-08-06 13:09 . 2008-04-29 18:48 -------- d-----w- c:\program files\Java
2009-08-05 09:11 . 2007-12-01 19:22 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 22:29 . 2008-02-19 23:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-02 14:28 . 2007-12-30 14:38 -------- d-----w- c:\program files\Google
2009-08-01 12:25 . 2008-03-08 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-18 02:44 . 2009-07-18 02:44 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-18 02:44 . 2007-12-02 09:47 -------- d-----w- c:\program files\Common Files\Real
2009-07-17 18:55 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-09 12:39 . 2009-05-07 01:21 -------- d-----w- c:\program files\Coupons
2009-07-03 17:09 . 2001-08-23 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2001-08-23 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2001-08-23 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2008-06-05 15:05 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-09 00:31 . 2009-06-09 00:31 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-06-09 00:31 . 2009-06-09 00:31 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-06-05 07:42 . 2007-11-28 18:47 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2007-12-01 19:22 1290752 ----a-w- c:\windows\system32\quartz.dll
2007-12-30 14:39 . 2007-12-30 14:39 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-08-18_21.41.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-28 18:52 . 2009-08-26 20:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-28 18:52 . 2009-08-18 19:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-28 18:52 . 2009-08-26 20:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-28 18:52 . 2009-08-18 19:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-28 18:52 . 2009-08-26 20:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-11-28 18:52 . 2009-08-18 19:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-11 16:38 . 2007-12-11 16:38 262144 c:\windows\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Richie\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NortonAntiBot"="c:\program files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe" [2008-09-08 1378840]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 149280]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

c:\documents and settings\Richie\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2007-9-17 2902528]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON SMART PANEL for Scanner.lnk]
backup=c:\windows\pss\EPSON SMART PANEL for Scanner.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
backup=c:\windows\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Richie^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Richie^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Richie\\Application Data\\mjusbsp\\magicJack.exe"=

R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [11/27/1998 11:57 PM 6144]
S2 gupdate1c9f1dca162a76;Google Update Service (gupdate1c9f1dca162a76);c:\program files\Google\Update\GoogleUpdate.exe [6/20/2009 3:19 PM 133104]
S3 PhotoFrame;PhotoFrame_2.0 Device;c:\windows\system32\drivers\PhotoFrame.sys [12/24/2007 3:20 AM 30464]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-20 19:19]

2009-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-20 19:19]

2008-08-23 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-23 17:32]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-23 17:32]

2009-08-26 c:\windows\Tasks\User_Feed_Synchronization-{B51A3D1F-94E9-495B-B582-BD1A2A98ABED}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1227789090&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D680107031&id=64855
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Richie\Application Data\Mozilla\Firefox\Profiles\jo4cc0kk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://watch-movies-links.net/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 17:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1540)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-26 18:00
ComboFix-quarantined-files.txt 2009-08-26 22:00
ComboFix2.txt 2009-08-26 16:14
ComboFix3.txt 2009-08-26 15:57
ComboFix4.txt 2009-08-26 12:50
ComboFix5.txt 2009-08-26 21:52

Pre-Run: 34,444,140,544 bytes free
Post-Run: 34,386,075,648 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
240 --- E O F --- 2009-08-13 05:13

#13 RikCab

RikCab
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:12 PM

Posted 27 August 2009 - 09:40 AM

just a note, saw the line "Command switches used :: c:\documents and settings\Richie\Desktop\CFScript.txt" must have sent the first log from before, my desktop is getting full, lol! thanks

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 27 August 2009 - 03:27 PM

Hello.

Let's run an online scan then. We'll cleanup your desktop afterwards. You may delete some of the log files that you already copied and pasted here that is till on your desktop.

--

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 RikCab

RikCab
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wareham, Ma, USA
  • Local time:12:12 PM

Posted 27 August 2009 - 08:08 PM

Hi EB,

Just wanted to say everything is running nice. One thing that I wanted to note was before I ran the online scan I shut off all setting on McAfee and shut off my Norton AntiBot. But when I ran ESET Onlin Scanner is stated on the bottom that there was another Anti-Virus program. Under 'show list' I clicked and it stated that McAfee was detected and that it my interfer with the scan. I think it just detected it that's all? On the DDS log it shows it disabled. Also, can I delete the sub-diretory Qoobox that was created by ComboFix?
Thanks again for all your time and energy, Rik


ESET Online Scan Said no threats Found, it showed no file to export.


DDS


DDS (Ver_09-07-30.01) - NTFSx86
Run by Richie at 21:09:29.34 on Thu 08/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.611 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpeedFan\speedfan.exe
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\Documents and Settings\Richie\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\spider.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Documents and Settings\Richie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1227789090&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D680107031&id=64855
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Upromise IE Toolbar: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cdloader] "c:\documents and settings\richie\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver\LVCOMS.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NortonAntiBot] "c:\program files\symantec\norton antibot\agent\bin\NortonAntiBot.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\richie\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} - hxxp://econetreports.ecolab.com/viewer9/activeXViewer/activexviewer.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196535412608
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://www.taxsimple.org/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://support.magicjack.com/jre-1_5_0_14-windows-i586-p.exe
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} - hxxp://fdl.msn.com/public/investor/v13/ticker.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5182/mcfscan.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by127fd.bay127.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richie\applic~1\mozilla\firefox\profiles\jo4cc0kk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://watch-movies-links.net/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-23 201320]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-8-23 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-8-23 144704]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 SymantecAntiBotWatcher;SymantecAntiBotWatcher;c:\program files\symantec\norton antibot\agent\bin\NABWatcher.exe [2008-9-8 539160]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-23 35240]
R3 SymantecAntiBotDriver;SymantecAntiBotDriver;c:\program files\symantec\norton antibot\agent\driver\AntiBotDriver.sys [2008-9-8 161304]
R3 SymantecAntiBotFilter;SymantecAntiBotFilter;c:\program files\symantec\norton antibot\agent\driver\AntiBotFilter.sys [2008-9-8 29720]
R3 SymantecAntiBotShim;SymantecAntiBotShim;c:\program files\symantec\norton antibot\agent\driver\AntiBotShim.sys [2008-9-8 27280]
S2 gupdate1c9f1dca162a76;Google Update Service (gupdate1c9f1dca162a76);c:\program files\google\update\GoogleUpdate.exe [2009-6-20 133104]
S2 SymantecAntiBotAgent;SymantecAntiBotAgent;c:\program files\symantec\norton antibot\agent\bin\NABAgent.exe [2008-9-8 4910104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-23 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-23 40488]
S3 PhotoFrame;PhotoFrame_2.0 Device;c:\windows\system32\drivers\PhotoFrame.sys [2007-12-24 30464]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-8-23 695624]

=============== Created Last 30 ================

2009-08-26 11:41 1,580,544 ac------ c:\windows\system32\dllcache\sfcfiles.dll
2009-08-26 11:41 1,580,544 -------- c:\windows\system32\sfcfiles.dll
2009-08-25 17:14 <DIR> --d----- c:\program files\ESET
2009-08-25 07:59 368,912 a------- c:\windows\system32\vbar332.dll
2009-08-25 07:59 140,288 a------- c:\windows\system32\COMDLG32.OCX
2009-08-18 18:12 <DIR> --d----- c:\documents and settings\richie\AppData
2009-08-12 15:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:28 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll
2009-08-08 09:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 09:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-08 09:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-06 08:59 <DIR> --d----- c:\program files\Microsoft
2009-08-06 08:57 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-05 05:11 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 10:30 <DIR> --d----- c:\docume~1\richie\applic~1\Malwarebytes
2009-08-03 09:46 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-03 09:16 <DIR> a-dshr-- C:\cmdcons
2009-08-03 09:14 229,376 a------- c:\windows\PEV.exe
2009-08-03 09:14 161,792 a------- c:\windows\SWREG.exe
2009-08-03 09:14 98,816 a------- c:\windows\sed.exe
2009-08-03 08:53 <DIR> --d----- C:\AVGTemp
2009-08-03 08:04 <DIR> --dsh--- c:\documents and settings\richie\IECompatCache
2009-08-03 08:02 <DIR> --dsh--- c:\documents and settings\richie\PrivacIE
2009-08-03 08:00 <DIR> --dsh--- c:\documents and settings\richie\IETldCache
2009-08-03 07:55 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-08-03 07:55 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-08-03 07:55 <DIR> --d----- c:\windows\ie8updates
2009-08-03 07:55 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-03 07:54 <DIR> -cd-h--- c:\windows\ie8
2009-08-02 10:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-31 19:48 <DIR> --d----- c:\docume~1\richie\applic~1\Logs

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 07:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 02:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-08 20:31 2,272 a------- c:\windows\system32\w95inf16.dll
2009-06-08 20:31 4,608 a------- c:\windows\system32\w95inf32.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2007-12-30 10:39 774,144 a------- c:\program files\RngInterstitial.dll
2008-06-05 21:37 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060520080606\index.dat

============= FINISH: 21:10:05.76 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users