Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan?


  • Please log in to reply
1 reply to this topic

#1 sheighly

sheighly

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 28 October 2009 - 01:40 PM

hey all ! I am pretty sure i have some type of trojan somwhere on my system. When using IE i get redirected to a gazillon different pages none of which i need. Soooooo i am hoping someone can help.
here is the DDS file



DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 13:26:53.21 on Wed 10/28/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.473 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: a-squared Anti-Malware *On-access scanning enabled* (Outdated) {0F8591BB-342B-4493-91C3-4E948ED21255}
AV: HAURI AntiVirus ViRobot *On-access scanning disabled* (Updated) {0E1A4B6B-60E9-4B3A-8031-1950BD69B260}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\AccessControl\HFACSvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\hpcsvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Hauri\Common\hsvcmod.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsvc.exe
C:\Program Files\NovaShield\NSService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hauri\ViRobot Desktop 5.5\PCFirewall\vrfwsock.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - PlaySushi
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: {c5af4d9b-0b55-4bac-9486-218ea2c6bc3e} - Trlokom IE Toolbar
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: IEHelpObj Class: {ec45e3fe-c16d-4f24-9238-d1b49ad74815} - c:\program files\hauri\virobot desktop 5.5\service\hWebMan.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Trlokom IE Toolbar: {c5af4d9b-0b55-4bac-9486-218ea2c6bc3e} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NovaShield] c:\program files\novashield\NovaShield.exe startup
mRun: [a-squared] "c:\program files\a-squared anti-malware\a2guard.exe" /d=60
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
IE: {5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nEsdUWz2W
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www-cdn.freerealms.com/gamedata/plugins/1.0.3.83/FreeRealmsInstaller.cab?v=1032
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE}
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256743770212
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\n7py2rtm.default\
FF - prefs.js: browser.startup.homepage - www.masslive.com
FF - plugin: c:\program files\sony online entertainment\npsoe.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-22 64288]
R1 NSKernel_drv;NSKernel_drv;c:\windows\system32\drivers\NSKernel.sys [2009-10-23 772608]
R2 hpcsvc;ViRobot Communication Service;c:\program files\hauri\virobot desktop 5.5\hpcsvc.exe [2009-10-22 270336]
R2 novashield;NovaShield Activity Monitor;c:\program files\novashield\NSService.exe [2009-10-23 135168]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-9-22 604488]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-27 24652]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2009-3-27 92550]
R3 VRFWNTD5;VRFWNTD5 Hauri Network Driver;c:\windows\system32\drivers\VRFWNTD5.SYS [2009-10-22 80950]
R3 VRsecos;VRsecos;c:\windows\system32\drivers\VRsecos.sys [2009-10-22 15644]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
S3 BLZHOBPCO;BLZHOBPCO;c:\docume~1\owner\locals~1\temp\blzhobpco.exe --> c:\docume~1\owner\locals~1\temp\BLZHOBPCO.exe [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-8-25 59552]
S3 getPlusHelper;getPlus® Installer;c:\windows\system32\svchost.exe -k getPlusHelper [2006-2-28 14336]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\140.tmp --> c:\windows\system32\140.tmp [?]
S3 MMRHZSJF;MMRHZSJF;c:\docume~1\owner\locals~1\temp\mmrhzsjf.exe --> c:\docume~1\owner\locals~1\temp\MMRHZSJF.exe [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-10-21 34760]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-10-28 15:39:51 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 15:37:30 0 d-----w- c:\windows\system32\bits
2009-10-28 15:36:05 7168 -c----w- c:\windows\system32\dllcache\bitsprx4.dll
2009-10-28 15:36:05 7168 ------w- c:\windows\system32\bitsprx4.dll
2009-10-28 14:22:04 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-28 14:21:23 0 d-----w- c:\program files\Sophos
2009-10-28 14:20:18 0 d--h--w- c:\windows\ie8
2009-10-28 14:02:35 882 ----a-w- c:\windows\RegSDImport.xml
2009-10-28 14:02:35 880 ----a-w- c:\windows\RegISSImport.xml
2009-10-28 14:02:34 131 ----a-w- c:\windows\IDB.zip
2009-10-28 14:02:34 1152470 ----a-w- c:\windows\UDB.zip
2009-10-28 13:55:53 0 d-----w- c:\program files\common files\PC Tools
2009-10-28 13:55:52 0 d-----w- c:\program files\Spyware Doctor
2009-10-27 15:34:50 0 d-----w- c:\program files\Trend Micro
2009-10-27 01:19:02 0 d-----w- c:\docume~1\owner\applic~1\Spyware Terminator
2009-10-27 01:18:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-10-27 01:18:26 0 d-----w- c:\program files\Spyware Terminator
2009-10-27 01:15:11 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-27 01:15:11 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-10-27 01:08:19 0 d-----w- C:\VeXpLite
2009-10-27 01:08:07 0 dc----w- c:\docume~1\alluse~1\applic~1\{01ED6211-3FBB-4391-902A-017933CD7F97}
2009-10-27 01:07:34 0 d-----w- c:\program files\Safer Networking
2009-10-27 00:46:15 0 d-----w- c:\program files\Mozilla Firefox(2)
2009-10-26 17:28:28 0 d-----w- c:\program files\Trojan Remover
2009-10-26 13:13:59 125440 ----a-w- c:\windows\system32\encdec32(2).dll
2009-10-26 02:05:04 0 d-----w- c:\program files\Loaris Trojan Remover
2009-10-24 17:33:21 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-24 17:33:21 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-24 17:33:20 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-24 17:33:20 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-24 17:33:20 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-10-24 17:32:57 0 d-----w- c:\docume~1\owner\applic~1\Simply Super Software
2009-10-24 17:32:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-10-23 22:35:32 0 d-----w- c:\program files\a-squared Anti-Malware
2009-10-23 05:29:28 772608 ----a-w- c:\windows\system32\drivers\NSKernel.sys
2009-10-23 05:29:21 1376336 ----a-w- c:\windows\system32\LicProtectorEasyGo260.dll
2009-10-23 05:29:19 0 d-----w- c:\program files\NovaShield
2009-10-23 04:01:40 0 d--h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-23 04:01:39 0 d-----w- c:\program files\Lavasoft
2009-10-23 04:01:15 0 d-----w- c:\program files\common files\Software Update Utility
2009-10-23 04:01:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 03:34:22 0 d-----w- c:\docume~1\owner\applic~1\MSNInstaller
2009-10-22 13:25:23 7028736 ----a-w- c:\windows\system32\FNMNXOFINWF
2009-10-22 04:43:55 0 d--h--w- c:\windows\msdownld.tmp
2009-10-22 04:29:28 0 d-----w- c:\docume~1\alluse~1\applic~1\55327325
2009-10-22 04:27:38 0 d-----w- c:\docume~1\owner\applic~1\HAURI
2009-10-22 04:07:07 27260 ------w- c:\windows\system32\drivers\vracfil.sys
2009-10-22 04:07:05 15644 ------w- c:\windows\system32\drivers\VRsecos.sys
2009-10-22 04:07:04 80950 ----a-w- c:\windows\system32\drivers\VRFWNTD5.SYS
2009-10-22 04:06:59 66993 ----a-w- c:\windows\system32\drivers\vradfil.sys
2009-10-22 04:06:38 403051 ------w- c:\windows\system32\drivers\virobot.vib
2009-10-22 04:05:07 0 d-----w- c:\program files\Hauri
2009-10-22 04:01:10 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-22 01:44:19 6975488 ----a-w- c:\windows\system32\CDSMJRYVBV
2009-10-22 01:16:14 6971392 ----a-w- c:\windows\system32\WYLHNE
2009-10-22 01:03:43 2 --shatr- c:\windows\winstart.bat
2009-10-22 01:03:08 35040 ----a-w- c:\windows\system32\Partizan.exe
2009-10-22 01:03:08 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-10-22 00:40:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 00:40:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 23:03:30 0 d-----w- c:\windows\trlrm
2009-10-21 23:03:26 36 ---h--r- c:\windows\sued.dat
2009-10-21 20:56:03 0 ----a-w- c:\windows\win32k.sys
2009-10-21 15:30:32 0 d-----w- c:\docume~1\alluse~1\applic~1\InterVideo
2009-10-21 15:30:24 209040 ----a-w- c:\windows\system32\IVIresizeW7.dll
2009-10-21 15:30:24 192656 ----a-w- c:\windows\system32\IVIresizePX.dll
2009-10-21 15:30:23 24720 ----a-w- c:\windows\system32\IVIresize.dll
2009-10-21 15:30:23 204944 ----a-w- c:\windows\system32\IVIresizeA6.dll
2009-10-21 15:30:23 196752 ----a-w- c:\windows\system32\IVIresizeP6.dll
2009-10-21 15:30:23 196752 ----a-w- c:\windows\system32\IVIresizeM6.dll
2009-10-20 13:41:40 0 d-----w- c:\program files\Wal-Mart
2009-10-20 13:41:40 0 d-----w- c:\docume~1\owner\applic~1\Wal-Mart
2009-10-20 13:41:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Wal-Mart
2009-10-12 06:08:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-10-12 06:08:34 0 d-----w- c:\program files\Security Task Manager
2009-10-11 01:45:59 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-11 01:45:59 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-11 01:43:08 0 d-----w- c:\program files\iPod
2009-10-11 01:43:02 0 d-----w- c:\program files\iTunes
2009-10-11 01:43:02 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-11 01:42:26 0 d-----w- c:\program files\Bonjour
2009-10-11 00:45:40 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2009-10-11 00:44:52 0 d-----w- c:\program files\AIM
2009-10-10 17:03:39 0 d-----w- c:\program files\AIM Toolbar
2009-10-10 17:03:39 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM Toolbar
2009-10-02 17:07:07 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-01 22:29:26 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
2009-10-01 22:29:19 0 d-----w- c:\program files\dvd43
2009-09-30 12:25:19 3255 ----a-w- c:\windows\system32\wbem\Outlook_01ca41c9127962e0.mof
2009-09-29 12:23:19 0 d-sh--w- c:\documents and settings\owner\IECompatCache

==================== Find3M ====================

2009-09-22 14:26:43 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-09-22 14:26:37 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll

============= FINISH: 13:30:45.49 ===============


here is the rootkit

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/28 13:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3E2E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AB7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7BAD000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0734000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\sqlite_c9luycdiyk7wqcr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_fbokblq8zmd5utw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_ly6lryyijvtfz74
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_ngrgjjzd3pavn8s
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_qljt99qiulb8vbm
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40ccbd3

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c5a47

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40ccce6

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c621d

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c65f1

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c6750

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c6c6e

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c6d5c

#: 074 Function Name: NtExtendSection
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c7171

#: 106 Function Name: NtMapUserPhysicalPages
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40cd3a6

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c7c4c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c82dc

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c83e5

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c892d

#: 167 Function Name: NtQuerySection
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40c9648

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40ca0b1

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40e8c2d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40ca353

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40cad4a

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40cae66

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40cb630

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40cba6a

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40cbdd6

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\NSKernel.sys" at address 0xf40cc2de

==EOF==

thank you

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:04 AM

Posted 03 November 2009 - 06:24 AM

Hello sheighly

Welcome to BleepingComputer :(
==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users