Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NTOSKRNL-HOOK VIRUS - NEED HELP


  • This topic is locked This topic is locked
1 reply to this topic

#1 amm004

amm004

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 17 August 2009 - 08:46 AM

I am running Windows Vista for business. I have MCAfee and Advanced System care running on my system. Yesterday, I suddenly noticed my computer would suddenly reboot. Prior to rebooting, a blue screen would appear with some code, but only momentarily, so I could not read anything on the blue screen. Anyway, my system would be stable in the safe mode.

I ran McAfee and it told me that it had detected and cleaned the NTOSKRNL-HOOK VIRUS. However, I again go the same problem. I ran McAfee again. It detected the same virus again, and told me that it was clean again. Wrong again. I did some research and came across a program called COMBOFIX. I ran combofix after completely disabling McAfee, and it created a log, which I have posted below. While running combofix the system gave some messages mainly pertaining to administrator rights.

The log from Combofix is given below. I am a computer novice, and I feel that I am playing out of my league here. I would appreciate some help. If there is a software out there, which can kill this bug, I am willing to buy it and get the protection I need. Help pls......

Combofix log:

ComboFix 09-08-10.06 - Ali 08/17/2009 16:12.1.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2037.1301 [GMT 3:00]
Running from: G:\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
/wow section not completed

((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-17 08:47 . 2008-03-03 06:47 172032 ----a-w- c:\windows\system32\igfxres.dll
2009-08-16 14:14 . 2009-08-17 07:19 680 ----a-w- c:\users\Ali\AppData\Local\d3d9caps.dat
2009-08-16 06:59 . 2009-03-09 12:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-08-16 06:59 . 2009-03-09 12:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-08-16 06:59 . 2009-03-09 12:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-08-16 06:59 . 2008-10-10 01:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-08-16 06:59 . 2008-10-10 01:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-08-16 06:59 . 2008-10-10 01:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-08-16 06:59 . 2008-07-10 08:01 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-08-16 06:59 . 2008-07-10 08:00 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2009-08-16 06:59 . 2008-07-10 08:00 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2009-08-16 06:59 . 2008-05-30 11:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2009-08-16 06:59 . 2008-05-30 11:11 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
2009-08-16 06:45 . 2007-04-04 15:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2009-08-16 06:22 . 2009-08-16 06:58 -------- d--h--w- c:\windows\msdownld.tmp
2009-08-13 21:45 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-13 21:45 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-13 21:45 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-13 21:45 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-13 21:45 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-13 21:45 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-13 21:45 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-13 21:45 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-12 07:55 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 07:54 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 07:54 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 07:54 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 07:54 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 07:54 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 07:53 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 07:53 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-04 20:04 . 2009-08-04 20:06 -------- d-----w- c:\users\Ali\AppData\Local\NewSoft
2009-08-04 19:59 . 2006-02-17 11:53 671859 ----a-w- c:\windows\system32\NSEncore.dll
2009-08-04 19:59 . 2005-06-07 22:32 192512 ----a-w- c:\windows\system32\NSM4AEnc.dll
2009-08-04 19:57 . 2007-02-05 08:15 18432 ----a-w- c:\windows\system32\drivers\Achernar.sys
2009-08-04 19:55 . 2001-11-12 07:44 122880 ----a-w- c:\windows\system32\Nsvideo.dll
2009-08-04 19:54 . 2009-08-04 19:59 -------- d-----w- c:\program files\Common Files\NewSoft
2009-08-04 19:54 . 2009-08-04 19:59 -------- d-----w- c:\program files\NewSoft
2009-08-04 19:24 . 2009-07-28 18:31 21896 ----a-w- c:\windows\system32\drivers\eufs.sys
2009-08-04 19:24 . 2009-07-28 18:31 15240 ----a-w- c:\windows\system32\drivers\eudskacs.sys
2009-08-04 19:24 . 2009-07-28 18:31 27016 ----a-w- c:\windows\system32\drivers\eubakup.sys
2009-08-04 19:24 . 2009-07-28 18:31 123784 ----a-w- c:\windows\system32\drivers\EuDisk.sys
2009-08-04 19:23 . 2009-08-04 19:23 -------- d-----w- c:\program files\EASEUS
2009-08-04 16:52 . 2009-08-04 18:35 -------- d-----w- c:\program files\TP-LINK
2009-08-04 06:12 . 2009-08-04 06:12 -------- d-----w- c:\program files\Media Widget
2009-08-04 04:32 . 2009-08-04 04:32 -------- d-----w- c:\users\Ali\AppData\Roaming\BSD
2009-08-02 20:51 . 2009-08-02 20:51 40960 ----a-r- c:\users\Ali\AppData\Roaming\Microsoft\Installer\{2DA701B1-5597-44BA-BA96-ED6A737CCA57}\NewShortcut1_D257A17FF5E44AEF80AC3FD1583976F3.exe
2009-08-02 20:51 . 2009-08-02 20:51 10134 ----a-r- c:\users\Ali\AppData\Roaming\Microsoft\Installer\{2DA701B1-5597-44BA-BA96-ED6A737CCA57}\ARPPRODUCTICON.exe
2009-08-02 20:49 . 2009-08-02 20:49 -------- d-----w- c:\windows\Profiles
2009-08-02 20:49 . 2009-08-02 20:49 -------- d-----w- c:\users\Ali\AppData\Roaming\InterTrust
2009-08-02 20:49 . 2009-08-02 20:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-02 20:49 . 1998-10-29 12:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-08-02 20:46 . 2009-08-02 20:46 -------- d-----w- c:\windows\Downloaded Installations
2009-08-02 20:38 . 2009-08-02 20:38 -------- d-----w- c:\users\Ali\AppData\Local\PCM4Everio
2009-08-02 20:38 . 2009-08-02 20:38 -------- d-----w- c:\progra~2\Cyberlink
2009-08-02 20:37 . 2006-06-04 12:48 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-08-02 20:25 . 2009-08-02 20:38 -------- d-----w- c:\program files\CyberLink
2009-08-02 20:25 . 2009-08-02 20:25 -------- d-----w- c:\program files\Digital Photo Navigator 1.5
2009-08-02 20:16 . 2009-08-02 20:16 -------- d-----w- c:\progra~2\WEBREG
2009-08-02 20:15 . 2009-08-02 20:20 -------- d-----w- c:\users\Ali\AppData\Roaming\HP
2009-08-02 20:05 . 2009-08-02 20:05 -------- d-----w- c:\progra~2\HP Product Assistant
2009-08-02 20:04 . 2009-08-02 20:04 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-02 20:04 . 2009-08-02 20:04 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-02 20:03 . 2009-08-02 20:03 -------- d-----w- c:\program files\Common Files\HP
2009-08-02 20:01 . 2008-04-16 04:05 271704 ----a-w- c:\windows\system32\hpzids01.dll
2009-08-02 20:01 . 2008-06-06 17:49 118272 ----a-w- c:\windows\system32\hpz3l692.dll
2009-08-02 20:01 . 2008-04-16 04:05 729088 ----a-w- c:\windows\system32\hposwia_p01a.dll
2009-08-02 20:01 . 2008-04-16 04:05 974848 ----a-w- c:\windows\system32\hpost_p01a.dll
2009-08-02 20:01 . 2008-04-16 04:05 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2009-08-02 20:01 . 2008-02-28 10:08 303104 ----a-w- c:\windows\system32\hposc_p01a.dll
2009-08-02 19:58 . 2009-08-02 20:09 -------- d-----w- c:\program files\HP
2009-08-02 19:56 . 2009-08-02 20:16 166258 ----a-w- c:\windows\hpoins30.dat
2009-08-02 19:56 . 2009-08-02 20:06 -------- d-----w- c:\progra~2\HP
2009-08-02 07:24 . 2009-08-02 07:24 -------- d-----w- c:\users\Ali\AppData\Roaming\LockLizard
2009-08-02 07:24 . 2003-03-19 01:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2009-08-02 07:24 . 2003-03-19 01:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2009-08-02 07:24 . 2009-08-02 07:24 -------- d-----w- c:\program files\Lizard Safeguard PDF Viewer
2009-08-02 07:24 . 2009-08-02 07:24 -------- d-----w- c:\progra~2\LockLizard
2009-08-01 13:42 . 2009-08-01 13:46 -------- d-----w- c:\users\Ali\AppData\Roaming\JonDo
2009-08-01 13:15 . 2009-08-01 13:15 -------- d-----w- c:\program files\JonDo
2009-07-30 20:11 . 2009-07-30 20:11 -------- d-----w- c:\progra~2\Office Genuine Advantage
2009-07-28 00:01 . 2009-07-28 00:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2009-07-27 16:09 . 2009-08-16 12:58 -------- d-----w- C:\downloads
2009-07-27 16:09 . 2009-07-27 16:09 -------- d-----w- c:\users\Ali\AppData\Roaming\GrabPro
2009-07-27 16:09 . 2009-08-16 12:56 -------- d-----w- c:\users\Ali\AppData\Roaming\Orbit
2009-07-27 16:09 . 2009-08-04 19:20 -------- d-----w- c:\program files\Orbitdownloader
2009-07-27 13:21 . 2009-08-14 07:50 -------- d-----w- c:\program files\Microsoft Works
2009-07-27 13:19 . 2009-07-27 13:19 -------- d-----w- c:\windows\PCHEALTH
2009-07-27 13:19 . 2009-07-27 13:19 -------- d-----w- c:\program files\Microsoft.NET
2009-07-27 13:11 . 2009-07-27 13:11 -------- d-----w- c:\users\Ali\AppData\Local\Microsoft Help
2009-07-27 13:10 . 2009-08-15 14:05 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-27 10:12 . 2009-07-27 10:38 -------- d-----w- c:\users\Ali\AppData\Roaming\IObit
2009-07-27 10:12 . 2009-07-27 10:38 -------- d-----w- c:\program files\IObit
2009-07-27 10:03 . 2009-07-27 10:03 -------- d-----w- c:\users\Ali\AppData\Roaming\Yahoo!
2009-07-27 09:49 . 2009-07-27 10:00 -------- d-----w- c:\progra~2\Tenebril
2009-07-27 09:44 . 2007-03-13 22:30 1712128 ----a-w- c:\windows\system32\GdiPlus.dll
2009-07-27 09:44 . 2006-07-26 19:13 57344 ----a-w- c:\windows\system32\MFC71ENU.DLL
2009-07-27 09:44 . 2009-07-27 09:44 -------- d-----w- c:\windows\system32\tenarchlib
2009-07-27 09:44 . 2005-10-12 20:10 180224 --s-a-w- c:\windows\system32\archlib.dll
2009-07-26 20:43 . 2009-08-04 20:22 -------- d-----w- c:\users\Ali\AppData\Roaming\dvdcss
2009-07-25 20:01 . 2009-07-25 20:06 -------- d-----w- c:\users\Ali\AppData\Roaming\DivX
2009-07-25 19:53 . 2009-07-25 19:53 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-07-25 19:53 . 2009-07-25 19:59 -------- d-----w- c:\users\Ali\AppData\Local\Google
2009-07-25 19:53 . 2009-07-25 19:53 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-25 19:53 . 2009-07-25 19:58 -------- d-----w- c:\program files\Google
2009-07-25 19:53 . 2009-07-25 19:54 -------- d-----w- c:\program files\DivX
2009-07-22 22:46 . 2009-07-27 12:25 1511936 ----a-w- c:\windows\bsdsetup.dll
2009-07-22 13:05 . 2009-07-27 10:03 -------- d-----w- c:\program files\Yahoo!
2009-07-22 04:51 . 2009-07-22 04:51 -------- d-----w- c:\program files\MSXML 4.0
2009-07-21 20:16 . 2009-07-21 20:15 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 20:15 . 2009-07-21 20:15 -------- d-----w- c:\program files\Java
2009-07-21 20:03 . 2009-08-04 18:59 -------- d-----w- c:\program files\LimeWire
2009-07-21 18:43 . 2009-07-21 18:43 -------- d-----w- c:\progra~2\McAfee Anti-Theft
2009-07-21 00:09 . 2009-07-21 00:09 -------- d-----w- c:\progra~2\SiteAdvisor
2009-07-21 00:05 . 2009-07-31 18:28 -------- d-----w- c:\users\Ali\AppData\Local\Apple Computer
2009-07-21 00:05 . 2009-07-27 20:15 -------- d-----w- c:\users\Ali\AppData\Roaming\Apple Computer
2009-07-21 00:05 . 2009-07-21 00:05 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-21 00:05 . 2009-03-19 13:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-21 00:05 . 2008-04-17 09:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-07-21 00:04 . 2009-07-21 00:04 -------- d-----w- c:\program files\iPod
2009-07-21 00:04 . 2009-07-21 00:05 -------- d-----w- c:\program files\iTunes
2009-07-20 23:56 . 2009-07-27 20:10 -------- d-----w- c:\progra~2\Apple
2009-07-20 23:48 . 2009-05-13 20:24 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-07-20 23:37 . 2009-07-21 00:10 -------- d-----w- c:\progra~2\McAfee
2009-07-20 23:36 . 2009-08-13 21:39 -------- d-----w- c:\program files\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 18:34 . 2009-07-21 20:18 -------- d-----w- c:\users\Ali\AppData\Roaming\LimeWire
2009-08-13 19:35 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-02 20:24 . 2009-07-20 22:04 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-01 13:42 . 2009-08-01 13:16 15369184 ----a-w- c:\progra~2\JonDoFox.paf.exe
2009-07-27 20:10 . 2009-07-27 20:10 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-07-21 21:52 . 2009-07-30 15:21 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 15:21 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 15:21 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 15:21 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 00:05 . 2009-07-21 00:04 -------- d-----w- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-21 00:04 . 2009-07-20 23:56 -------- d-----w- c:\program files\Common Files\Apple
2009-07-21 00:04 . 2009-07-21 00:01 -------- d-----w- c:\progra~2\Apple Computer
2009-07-21 00:02 . 2009-07-21 00:02 -------- d-----w- c:\program files\Bonjour
2009-07-21 00:02 . 2009-07-21 00:00 -------- d-----w- c:\program files\Common Files\McAfee
2009-07-21 00:02 . 2009-07-21 00:01 -------- d-----w- c:\program files\QuickTime
2009-07-21 00:01 . 2009-07-21 00:00 -------- d-----w- c:\program files\McAfee.com
2009-07-21 00:00 . 2009-07-21 00:00 -------- d-----w- c:\program files\Apple Software Update
2009-07-20 22:04 . 2009-07-20 22:04 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-07-20 22:04 . 2009-07-20 22:04 -------- d-----w- c:\program files\Realtek
2009-07-20 18:11 . 2009-07-20 18:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01001.Wdf
2009-07-20 13:51 . 2009-07-20 13:51 315392 ----a-w- c:\windows\HideWin.exe
2009-07-20 08:27 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-20 06:39 . 2009-07-20 06:39 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-07-09 09:16 . 2009-07-09 09:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 09:16 . 2009-07-09 09:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-15 15:24 . 2009-07-20 07:29 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-20 07:29 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-20 07:29 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-20 07:29 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-05-24 04:36 . 2009-05-24 04:36 501248 ----a-w- c:\windows\system32\drivers\netr73.sys
2009-05-22 06:03 . 2009-05-22 06:03 221184 ----a-w- c:\windows\system32\RaCoInst.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-03 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-03 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-03 133656]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-03-03 118784]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-09-19 311296]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-04-09 1176808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-21 148888]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-03-03 4399104]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2008-03-03 1822720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-10-30 748072]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-14 17:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DA861119-6CAD-4C47-80FB-922101682520}"= UDP:d:\program files\uTorrent.exe:µTorrent (TCP-In)
"{839049C4-A8A9-4D78-953F-5FFA3C669976}"= TCP:d:\program files\uTorrent.exe:µTorrent (UDP-In)
"{2424A41B-0194-44FB-8CD1-A5E83EAB191B}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{32C2EE64-DB9C-4225-B132-0A6C59ED6AF4}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3CCB0FAC-B4FC-4A51-87BE-C89BB240E70D}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9CE4D591-EE5C-483B-8238-9037CEE4A899}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0EF1C41B-C82B-4AED-AC11-27DE43631322}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4AC0F950-3219-4685-8C88-3E5777B8E1CC}"= TCP:6004|d:\program files\Office12\outlook.exe:Microsoft Office Outlook
"{052512BA-4676-4265-B70A-4E43010BE4E4}"= e:\setup\hpznui01.exe:hpznui01.exe
"{02CC3429-FFE5-4F35-B5E6-767F6418F758}"= TCP:427|RPort=427|c:\windows\system32\svchost.exe|Svc=HPSLPSVC:SLP_Service
"{38399467-589A-48F4-AD1F-C9B1BA7D8484}"= c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{65777A68-59BD-4511-BAEA-220F2F8520C6}"= c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{F0C2EE40-0A1E-4D0E-80B1-6C9287690544}"= c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{7355F912-A530-4B95-9F2B-FAAD9C091B74}"= c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{7B5E79ED-1366-43D5-B287-6024B4C7D5D9}"= c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{A9E48863-6632-4633-A730-2B056D0B0C60}"= c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{748F4EF2-B803-4A1B-A43E-5672C306C859}"= c:\program files\Common Files\HP\Digital Imaging\bin\hpqphotocrm.exe:hpqphotocrm.exe
"{0D470543-AF4F-4CF1-A68A-0389ACF2FAC4}"= c:\program files\HP\Digital Imaging\bin\hpqsudi.exe:hpqsudi.exe
"{771CE63B-9E88-4087-AD07-1463F9C22BF6}"= c:\program files\HP\Digital Imaging\bin\hpqpsapp.exe:hpqpsapp.exe
"{0E21B4BA-F973-4FE2-B797-8BC1774E620F}"= c:\program files\HP\Digital Imaging\bin\hpqpse.exe:hpqpse.exe
"{65833856-42FA-4D95-A02A-7FBCAB4C09BE}"= c:\program files\HP\Digital Imaging\bin\hpqgplgtupl.exe:hpqgplgtupl.exe
"{C25C6448-E078-416B-8D91-402C623DE989}"= c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe:hpqgpc01.exe
"{9F8F1135-56B4-4DDA-BE31-A57CABB20FFE}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"= c:\program files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"= c:\program files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\System32\drivers\Achernar.sys [8/4/2009 10:57 PM 18432]
R0 EUBAKUP;EUBAKUP;c:\windows\System32\drivers\eubakup.sys [8/4/2009 10:24 PM 27016]
R0 EUFS;EUFS;c:\windows\System32\drivers\eufs.sys [8/4/2009 10:24 PM 21896]
R0 McPvDrv;McPvDrv;c:\windows\System32\drivers\McPvDrv.sys [5/28/2008 9:32 AM 61688]
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\System32\drivers\shpf.sys [7/20/2009 11:10 PM 9216]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\System32\drivers\EuDisk.sys [8/4/2009 10:24 PM 123784]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [7/20/2009 10:47 PM 9344]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\System32\drivers\SonyPI.sys [7/20/2009 10:52 PM 14720]
S2 gupdate1ca0d61a2a1bd69;Google Update Service (gupdate1ca0d61a2a1bd69);c:\program files\Google\Update\GoogleUpdate.exe [7/25/2009 10:53 PM 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/21/2009 3:09 AM 210216]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [7/21/2009 12:38 AM 28464]
S3 EUDSKACS;EUDSKACS;c:\windows\System32\drivers\eudskacs.sys [8/4/2009 10:24 PM 15240]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [5/24/2009 7:36 AM 501248]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [7/20/2009 11:15 PM 75392]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [7/20/2009 11:15 PM 43904]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [7/21/2009 1:02 AM 333088]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [7/21/2009 12:52 AM 87328]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [1/21/2008 5:23 AM 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = %3clocal%3e:80
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - d:\progra~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: {05AFE072-5100-4385-B711-1AF40E105541} = 84.23.102.172 84.23.101.84
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 16:27
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1008)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2009-08-17 16:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-17 13:33

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 19,968,847,360 bytes free

312 --- E O F --- 2009-08-15 14:06

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:29 AM

Posted 17 August 2009 - 09:47 PM

ComboFix logs should not be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users