Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with TR/Hijacker.Gen

  • This topic is locked This topic is locked
2 replies to this topic

#1 Leylani


  • Members
  • 1 posts
  • Local time:09:02 PM

Posted 22 April 2010 - 05:41 PM

About 24 hours ago now I, I guess contracted is the right word, a Malware Doctor thing. After many hours of troubleshooting I managed to remove it using Malwarebytes' Anti-Malware. However, it turned out my machine was also infected with a trojan Hijacker. My system is protected by SpyBot, Avira and McAfee so how this happened exactly, is beyond me. Both the doctor thing and this were contracted at the same time while watching a show on a website I have used many times in the past. It was completely innocuous. Anyway, supposedly when one has this Hijacker there should be a process known as aha7.exe in the taskmanager which should be removed thus solving the problem. There is nothing in my taskmanager that should not be there. It is named TR/Hijacker.Gen and is located in the Temporary files folder. According to my Avira. However, these are the folders the actual hijacker creates. If I open said folder, I can see them being created. Avira detects the folders it makes but not the source. I have tried several things thusfar. I have downloaded Ad-Aware, I've run all of the scanners I've mentioned in safe mode but nothing seems to detect it. Only Avira and occasionally McAfee detect the files it creates. I've run a manual search for this aha7.exe thing but that didn't turn anything up either. I tried forcing it by removing all the files it created but it simply put itself back. The second time I tried this it simply stated said files were in use and could not be removed. The filepath is always the same, 4 random letters .tmp\svchost.exe. In my taskmanager, and I do not know if this is relevant, there are 8 svchost items whereas on a friend's computer, there are only 7. My IT tech friend thinks perhaps the Hijacker has disguised itself as one of these. As such going through the taskmanager and killing everything not pertinent to the system did not help. I am still after all the scanning and all the troubleshooting getting prompts from Avira that random files created are the Hijacker. I delete or quarantine and several minutes later it pops up again with the same message only a slightly different filepath. I have done as specified in the guidelines and scanned with DDS and GMER.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Dragonmistress at 21:53:17,71 on do 22/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.32.1043.18.894.184 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dragonmistress\Mijn documenten\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {860C2F6B-CA82-4282-9187-BECCBB66F0AF} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.0.720.3640\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [PowerManager] c:\program files\power manager\PM.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\dragonmistress\menu start\programma's\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Tradewinds%20Caravans/Images/stg_drm.ocx
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/nl/uno1/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\burger island\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dragon~1\applic~1\mozilla\firefox\profiles\hlest66u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-22 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-3 343920]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-30 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-30 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-30 56816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-1-6 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-1-6 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-7-3 70728]
R3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\drivers\EKBfltr.sys [2006-1-16 5504]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-3 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-3 43288]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2006-9-12 69120]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-7-3 66600]

=============== Created Last 30 ================

2010-04-22 18:50:09 0 d-----w- c:\program files\Trend Micro
2010-04-22 18:00:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-22 13:56:14 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-22 13:55:43 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-22 13:47:02 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-22 13:45:25 0 d-----w- c:\program files\Lavasoft
2010-04-21 05:56:20 0 d-----w- c:\docume~1\dragon~1\applic~1\Malwarebytes
2010-04-21 05:55:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-21 05:55:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-21 05:54:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 05:54:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 05:29:09 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-21 05:29:07 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-21 05:29:07 880 ----a-w- c:\windows\RegISSImport.xml
2010-04-21 05:29:06 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-21 05:29:06 131 ----a-w- c:\windows\IDB.zip
2010-04-21 05:29:05 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-21 05:29:05 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-04-21 05:29:05 1152444 ----a-w- c:\windows\UDB.zip
2010-04-21 05:23:55 0 d-----w- c:\program files\common files\PC Tools
2010-04-21 05:23:52 0 d-----w- c:\program files\Spyware Doctor
2010-04-21 03:24:05 0 d-----w- c:\docume~1\dragon~1\applic~1\E2DD2A401581DCA2F002BBF474FA1A1C
2010-04-12 15:23:38 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-04-12 15:23:38 5504 ----a-w- c:\windows\system32\dllcache\mstee.sys
2010-04-12 15:23:15 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-04-12 15:23:15 10880 ----a-w- c:\windows\system32\dllcache\ndisip.sys
2010-04-12 15:23:06 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-04-12 15:23:06 15232 ----a-w- c:\windows\system32\dllcache\streamip.sys
2010-04-12 15:23:05 16384 ----a-w- c:\windows\system32\ipsink.ax
2010-04-12 15:23:05 16384 ----a-w- c:\windows\system32\dllcache\ipsink.ax
2010-04-12 15:22:57 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-04-12 15:22:57 11136 ----a-w- c:\windows\system32\dllcache\slip.sys
2010-04-12 15:22:47 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-04-12 15:22:47 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-04-12 15:22:35 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-04-12 15:22:35 85248 ----a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-04-12 15:22:25 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-04-12 15:22:25 17024 ----a-w- c:\windows\system32\dllcache\ccdecode.sys
2010-04-12 15:21:58 54272 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-04-12 15:21:58 54272 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-04-12 15:21:57 91648 ----a-w- c:\windows\system32\kswdmcap.ax
2010-04-12 15:21:57 91648 ----a-w- c:\windows\system32\dllcache\kswdmcap.ax
2010-04-12 15:21:57 61952 ----a-w- c:\windows\system32\kstvtune.ax
2010-04-12 15:21:57 61952 ----a-w- c:\windows\system32\dllcache\kstvtune.ax
2010-04-12 15:21:57 43008 ----a-w- c:\windows\system32\ksxbar.ax
2010-04-12 15:21:57 43008 ----a-w- c:\windows\system32\dllcache\ksxbar.ax
2010-04-12 15:21:56 20992 ----a-w- c:\windows\system32\dshowext.ax
2010-04-12 15:21:56 20992 ----a-w- c:\windows\system32\dllcache\dshowext.ax
2010-04-12 15:21:38 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-04-12 15:21:38 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

==================== Find3M ====================

2010-04-22 06:13:42 125696 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-04-22 06:13:42 125696 ----a-w- c:\windows\system32\dllcache\ftdisk.sys
2010-04-21 05:38:52 88402 ----a-w- c:\windows\system32\perfc013.dat
2010-04-21 05:38:52 503954 ----a-w- c:\windows\system32\perfh013.dat
2010-03-10 06:17:43 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:17:43 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 09:50:12 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:56:54 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 12:09:58 2194304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 12:09:58 2194304 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 19:09:57 2071168 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 19:09:57 2071168 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 19:09:53 2150912 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 19:09:52 2029056 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:35:06 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:35:06 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2008-02-29 23:50:48 0 -c--a-w- c:\program files\temp01
2006-09-19 18:30:12 0 -c--a-w- c:\program files\izWrTe50353.tmp
2006-05-09 23:29:12 774144 -c--a-w- c:\program files\RngInterstitial.dll
2008-10-24 20:38:15 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008102420081025\index.dat

============= FINISH: 21:57:09,82 ===============

I've attached the two other logs as requested. I can also provide a HijackThis log if need be.

Any possible help would be greatly appreciated.


Attached Files

BC AdBot (Login to Remove)


#2 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:02 AM

Posted 24 April 2010 - 11:26 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


One or more of the identified infections is a Rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Avira AntiVir Personal or McAfee VirusScan Enterprise.

Important note: It is important to run the removal tool after you uninstall the AV that you wish to remove.
Avira removal tool --> HERE
McAfee removal tool --> HERE

Please let me know if you do not wish to reformat so we can begin the cleaning process. Thanks.



You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#3 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:02 AM

Posted 30 April 2010 - 09:44 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users