Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing "active rootkit virus" Globalroot\systemroot "Bad image" error


  • This topic is locked This topic is locked
22 replies to this topic

#1 Daddyjet

Daddyjet

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 01 September 2009 - 11:25 PM

I need help removing a "active root kit virus" from my computer. I get error messages upon startup and when opening programs that generally say..........wkswp.exe - bad image (the file name changes, but it is usually a .exe file extension.)
The body of the error message says "The application or dll globalroot\systemroot\system32\skynetxsdapgkt.dll is not a valid windows image. Please check this against your installation diskette".

I have requested help in another thread and was directed to start a new thread here. This is a link to the other thread below.

http://www.bleepingcomputer.com/forums/t/252253/need-help-with-globalrootsystemroot-bad-image-error/

I have run DDS and here is the report...

DDS (Ver_09-07-30.01) - NTFSx86
Run by Compaq_Owner at 21:04:36.76 on Tue 09/01/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.181 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Attensa\AttensaEngine.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Attensa\AttensaNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Attensa for IE: {458e6614-0d24-415a-824a-130064af7bf8} - c:\program files\attensa\AttensaIEPlugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\starta~1.lnk - c:\program files\attensa\AttensaEngine.exe
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: Attensa - Add Feed - c:\progra~1\attensa\ATTENS~3.DLL/ContextMenu.html
IE: Attensa - Preview Feed - c:\progra~1\attensa\ATTENS~3.DLL/ContextMenuPreview.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: accvga - c:\windows\security\database\accvga.dll
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: karna.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\htq44fw4.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-6-19 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-6-19 144704]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-6-19 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-6-16 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-6-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-6-16 40552]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\mcsacore.exe" --> c:\program files\mcafee\siteadvisor\McSACore.exe [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-6-16 34216]

=============== Created Last 30 ================

2009-08-30 18:10 --d----- c:\program files\Cobian Backup 9
2009-08-29 11:22 --d----- c:\program files\Cobian Backup 8
2009-08-27 22:21 15 a------- c:\documents and settings\compaq_owner\settings.dat
2009-08-26 21:14 1,089,593 ac------ c:\windows\system32\dllcache\ntprint.cat
2009-08-25 22:10 --d----- c:\windows\system32\XPSViewer
2009-08-25 22:08 89,088 ac------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-25 22:08 117,760 a------- c:\windows\system32\prntvpt.dll
2009-08-25 22:08 1,676,288 ac------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-25 22:08 597,504 ac------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-25 22:08 575,488 ac------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-25 22:08 1,676,288 a------- c:\windows\system32\xpssvcs.dll
2009-08-25 22:08 575,488 a------- c:\windows\system32\xpsshhdr.dll
2009-08-25 22:08 --d----- C:\ea920a995ed469a5258ec3
2009-08-25 22:07 --d----- c:\windows\SxsCaPendDel
2009-08-17 18:10 18 a---h--- C:\SYSREST
2009-08-11 13:41 128,512 ac------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 13:41 1,315,328 ac------ c:\windows\system32\dllcache\msoe.dll
2009-08-05 02:01 204,800 ac------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-31 21:03 3,649 a------- c:\windows\viassary-hp.reg
2009-08-29 12:13 5,120 a--sh--- c:\program files\Thumbs.db
2009-08-24 23:12 27,220 -------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 09:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 09:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2008-10-08 19:59 16,155 a------- c:\program files\common files\mugafowix._dl
2008-10-08 19:59 13,655 a------- c:\program files\common files\goja.dat
2008-10-08 19:59 19,822 -------- c:\docume~1\alluse~1\applic~1\qytafa.bin
2008-10-08 19:59 19,622 -------- c:\docume~1\compaq~1\applic~1\yrebupoxu.scr
2008-10-08 19:59 10,392 -------- c:\docume~1\compaq~1\applic~1\amipulac.exe
2006-12-07 23:20 2,766 a------- c:\program files\removebdsp.log
2006-12-07 23:16 118,643 a------- c:\program files\uninstal.log
2005-10-10 20:28 3,057,436 a------- c:\program files\create.exe
2005-10-05 19:53 28 a------- c:\program files\BodySpectrum.ini
2005-08-29 13:51 28,233,743 a------- c:\program files\BodySpectrum.dxr
2005-03-16 17:13 3,282,656 a------- c:\program files\help.dxr
2005-03-01 16:11 250,672 a------- c:\program files\credits_05.jpg
2005-03-01 15:40 17,782,936 a------- c:\program files\credits_05.mov
2003-09-17 10:16 4,027,873 a----r-- c:\program files\BodySpectrum.exe
2003-09-09 10:21 3,779,582 a------- c:\program files\9-9int800.mov
2007-08-18 17:34 1,147 a--sh--- c:\windows\security\database\ntp2.ini2
2007-11-12 12:52 0 ac-sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 21:07:27.25 ===============

I have run Root Repeal and here is that report...

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/27 22:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF37E8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7DD6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2247000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETcbulklnn.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETcbulklnn.sys
Address: 0xF3B1F000 Size: 151552 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\SKYNETxsdapgkt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETxtyrmyso.dll
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcafee_mrkmkgi9z9oywnl
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_rcwwb6hn0j1yyjo
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_3aqpa3d2utn6rku
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_ocgfgtz7ixdioyf
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\drivers\SKYNETcbulklnn.sys
Status: Invisible to the Windows API!

==EOF==


I hope this gives you what you need to get started and thank you very much.

Jeff

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:47 AM

Posted 13 September 2009 - 11:15 PM

Hello Jeff,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"
Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Daddyjet

Daddyjet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 14 September 2009 - 09:39 PM

Thanks for your reply. Here is the results of Security Check. I am having trouble with my anti-virus programs running. They tend to stall or lock or not respond. I want to turn off McAfee's auto update, but the program is stalling. I will try and run MBAM and see if it will go. When running Security Check, I was getting error messages that I would have to clink on to close and proceed.

Fingers crossed.

Jeff

Here is the log...............

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!


``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Spybot - Search & Destroy
Windows Defender
Malwarebytes' Anti-Malware
Java 2 Runtime Environment, SE v1.4.2_03
Adobe Flash Player 10
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 7.0.9
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!


``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:47 AM

Posted 14 September 2009 - 09:48 PM

Hi Daddyjet,


Malwarebytes should work. If not, then we have other ways to run it. :(
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Daddyjet

Daddyjet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 15 September 2009 - 01:29 AM

MBAM ran fine. Required re-start and did not have any error messages!
I do not know what a "HijackThis" log is.
Here is the MBAM log. BTW, thanks again.

Malwarebytes' Anti-Malware 1.41
Database version: 2798
Windows 5.1.2600 Service Pack 3

9/14/2009 11:16:59 PM
mbam-log-2009-09-14 (23-16-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 206595
Time elapsed: 35 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:47 AM

Posted 15 September 2009 - 11:33 AM

Hi Daddyjet,

Very strange it did not find anything :(

Did you run it twice and post the second log?

Or is that the log from the first run of Malwarebytes?

Usually it finds lots of malware to quarantine and delete, and thats the log I need to see.

See if the log is there from the first run of Malwarebytes.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire MBAM report in your next reply.


Pleae tell me which McAffe version are you running? McAfee Security Center or McAffe Antivirus?


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 16
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2_03
    J2SE Runtime Environment 5.0 Update 6
    Java 6 Update 5

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.

Edited by SifuMike, 15 September 2009 - 11:46 AM.
insert Java update

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Daddyjet

Daddyjet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 15 September 2009 - 12:37 PM

It is the second run log. The first was aborted by me when I realized it was also scanning my backup folder left on the desktop. When I canceled, there was nothing found at that time. I will post that log this evening and work on my Java updates and advise which McAfee I have. My McAfee program wants to make repairs, should I wait or go ahead?
Thanks

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:47 AM

Posted 15 September 2009 - 12:41 PM

It is the second run log.



I thought so. The first run must have removed all the malware. thats the one I want to see

I will post that log this evening and work on my Java updates and advise which McAfee I have.



Good. :(

My McAfee program wants to make repairs, should I wait or go ahead?


By repairs, you mean remove virus files? If so, then let it do its job.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Daddyjet

Daddyjet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 15 September 2009 - 01:38 PM

By repairs, you mean remove virus files? If so, then let it do its job.
[/quote]
I don't know exactly. I do know that McAfee did not work right and couldn't update. It basically is asking me to fix the problems it sees.
This virus has been able to dodge McAffe, Adaware and Malwarebytes scans.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:47 AM

Posted 15 September 2009 - 01:41 PM

The malware probably disables McAfee or prevents it from updateing.

Edited by SifuMike, 15 September 2009 - 01:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Daddyjet

Daddyjet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 15 September 2009 - 11:51 PM

Here is the "first" MBAM log and I am running McAfee Security Center. I am working on the other items.
Thanks
Jeff

Malwarebytes' Anti-Malware 1.41
Database version: 2798
Windows 5.1.2600 Service Pack 3

9/14/2009 9:22:14 PM
mbam-log-2009-09-14 (21-22-14).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 76815
Time elapsed: 1 hour(s), 38 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:47 AM

Posted 16 September 2009 - 12:00 AM

Hi Jeff,

Very strrange Malwarebytes did not find anything the first run.

After your done running McAfee, let me know how your computer is running. :(

Edited by SifuMike, 16 September 2009 - 12:00 AM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Daddyjet

Daddyjet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 16 September 2009 - 10:12 AM

G'morning. McAfee ran a full scan and found a "BackDoor DVU-Trojan" and quarantined it. The file was "c:\windows\system32\drivers\skynetcbulklnn.sys" I can post a snapshot of the action.
Java has been updated. The computer now starts with no error messages, but still seems like there is something running in the background. I can hear the hard drive working, even if the modem is off and programs are closed.
Seems like progress to me though.

Thanks
Jeff

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:47 AM

Posted 16 September 2009 - 11:35 AM

Hi Jeff,

That is a rootkit, we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee Security Center before running ComboFix, as it will prevent it from running.

To Disable McAfeee Security Center
Posted Image

If you cannot disable it, then uninstall it. Just be careful not to go to bad sites, as you will have not protection. You can install it when we are done using ComboFix.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 16 September 2009 - 11:35 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Daddyjet

Daddyjet
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 16 September 2009 - 10:12 PM

Combofix done. See log below.
Thanks, Jeff

ComboFix 09-09-16.02 - Compaq_Owner 09/16/2009 19:48.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.440 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Owner\cookies\babicoqi.scr
c:\documents and settings\Compaq_Owner\cookies\ehupisilu.pif
c:\documents and settings\Compaq_Owner\cookies\toquhowe._dl
c:\documents and settings\Compaq_Owner\cookies\yporimaqeb.bat
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\nypujit.bat
c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\dutanatil.dl
c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\odacid.db
c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\ubanoka._sy
c:\recycler\S-1-5-21-237106519-1468830605-1185987462-1003
c:\windows\abubodiqat.exe
c:\windows\Installer\c9a22.msp
c:\windows\security\Database\ntp2.ini2
c:\windows\security\Database\ntp2.tmp
c:\windows\system32\ps2.bat
c:\windows\system32\SKYNETxsdapgkt.dll
c:\windows\system32\SKYNETxtyrmyso.dll
c:\windows\viassary-hp.reg
c:\windows\wiaservb.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_FOPN
-------\Legacy_hjgruirjpidfgt
-------\Legacy_SKYNETirjmugmw
-------\Service_hjgruirjpidfgt
-------\Service_SKYNETirjmugmw


((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-16 05:09 . 2009-09-16 05:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-10 04:33 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-08-31 01:10 . 2009-08-31 01:10 -------- d-----w- c:\program files\Cobian Backup 9
2009-08-29 18:22 . 2009-08-31 01:07 -------- d-----w- c:\program files\Cobian Backup 8
2009-08-28 05:21 . 2009-08-28 05:22 15 ----a-w- c:\documents and settings\Compaq_Owner\settings.dat
2009-08-26 05:10 . 2009-08-26 05:10 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-26 05:09 . 2009-08-26 05:09 -------- d-----w- c:\program files\MSBuild
2009-08-26 05:09 . 2009-08-26 05:09 -------- d-----w- c:\program files\Reference Assemblies
2009-08-26 05:08 . 2008-07-06 12:06 89088 -c--a-w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-26 05:08 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-08-26 05:08 . 2009-08-26 05:08 -------- d-----w- C:\ea920a995ed469a5258ec3
2009-08-26 05:08 . 2008-07-06 12:06 575488 -c--a-w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-26 05:08 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-08-26 05:08 . 2008-07-06 12:06 1676288 -c--a-w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-26 05:08 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-08-26 05:08 . 2008-07-06 10:50 597504 -c--a-w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-26 05:07 . 2009-08-27 04:06 -------- d-----w- c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 02:59 . 2008-06-27 05:15 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Attensa
2009-09-16 13:22 . 2005-04-01 03:05 27344 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-09-16 05:09 . 2004-10-20 13:39 -------- d-----w- c:\program files\Java
2009-09-16 04:37 . 2008-06-16 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-15 02:42 . 2008-10-10 15:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 04:46 . 2007-06-16 19:42 -------- d-----w- c:\program files\McAfee
2009-09-10 21:54 . 2008-10-10 15:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2008-10-10 15:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 19:13 . 2008-05-10 03:47 5120 --sha-w- c:\program files\Thumbs.db
2009-08-27 04:07 . 2005-03-28 00:46 49352 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-11-11 04:28 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-11-11 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-10-20 12:59 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2004-11-11 04:30 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-11-11 04:27 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2006-11-17 14:23 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-11-11 04:30 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-11-11 04:28 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-11-11 04:28 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-11-11 04:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-11-11 04:27 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-10-20 12:58 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2008-10-09 02:59 . 2008-10-09 02:59 16155 ----a-w- c:\program files\Common Files\mugafowix._dl
2008-10-09 02:59 . 2008-10-09 02:59 13655 ----a-w- c:\program files\Common Files\goja.dat
2006-12-08 06:20 . 2006-12-08 06:20 2766 ----a-w- c:\program files\removebdsp.log
2006-12-08 06:16 . 2006-12-08 06:16 118643 ----a-w- c:\program files\uninstal.log
2005-10-11 03:28 . 2005-10-12 01:31 3057436 ----a-w- c:\program files\create.exe
2005-10-06 02:53 . 2005-10-07 20:08 28 ----a-w- c:\program files\BodySpectrum.ini
2005-08-29 20:51 . 2005-10-07 20:08 28233743 ----a-w- c:\program files\BodySpectrum.dxr
2005-03-17 00:13 . 2005-10-07 20:08 3282656 ----a-w- c:\program files\help.dxr
2005-03-01 23:11 . 2005-10-07 20:08 250672 ----a-w- c:\program files\credits_05.jpg
2005-03-01 22:40 . 2005-10-07 20:08 17782936 ----a-w- c:\program files\credits_05.mov
2003-09-17 17:16 . 2005-10-07 20:08 4027873 ----a-r- c:\program files\BodySpectrum.exe
2003-09-09 17:21 . 2005-10-07 20:08 3779582 ----a-w- c:\program files\9-9int800.mov
2007-11-12 19:52 . 2007-11-12 19:52 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-18 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-01 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-26 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Start Attensa.lnk - c:\program files\Attensa\AttensaEngine.exe [2007-12-5 457952]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Attensa\\AttensaEngine.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 4:40 AM 118784]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 19:34]

2009-09-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-16 22:53]

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-19 17:53]

2009-06-19 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-19 17:53]

2009-09-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
IE: Attensa - Add Feed - c:\progra~1\Attensa\ATTENS~3.DLL/ContextMenu.html
IE: Attensa - Preview Feed - c:\progra~1\Attensa\ATTENS~3.DLL/ContextMenuPreview.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\htq44fw4.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Notify-accvga - c:\windows\security\database\accvga.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 19:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3192)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Attensa\AttensaNotifier.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-09-17 20:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 03:07

Pre-Run: 19,907,014,656 bytes free
Post-Run: 20,097,392,640 bytes free

232 --- E O F --- 2009-09-14 16:09




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users