Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malwarebytes' will not run, as well as spybot [Solved]

Started by askey35 , Jul 23 2009 09:48 PM

  • This topic is locked This topic is locked

#1
askey35
Posted 23 July 2009 - 09:48 PM

askey35

    Member

  • Member
  • PipPip
  • 10 posts
Hi,

Just a little while ago i had gotten a pop-up that looked like the Windows Security Center screens(different from the last fake anti-vius trojan i got) but would not go away at all. Before this happened i got a notice saying that my antivirus was turned off. I then Shut the computer down and then booted up in Safe Mode, i then tried to run Malwarebytes'. it would show up in the task manager's processes list but nothing would show up on the screen for me to scan the computer. I also tried to run Spybot search and destroy but would do the same thing. I then restarted the computer again and this time started the computer up in Safe Mode with Networking. tried the same stuff over but would not scan. I was able to run CCcleaner in both the computer and registry with both having things fixed through the program.

I then started the computer up in the regular operating mode and would recieve 2 boxes telling me that two processes had to be shut down, one was google updater(im using Google Chrome) and the other just said b.EXE. Both spybot and Malwarebyetes run in the tool bar but will not commence a scan of the computer to remove this


I also tried to install Combofix and it will not even install.


Any Help Is appreciated,

Kevin
  • 0

Advertisements

#2
RatHat
Posted 23 July 2009 - 11:06 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Please ensure you have word wrap turned off in Notepad. To do this, open Notepad, choose Format, then ensure Word Wrap is Un-checked. (Word Wrap makes reading your logs difficult).

Please delete Combofix from your desktop. Also please don't try to run any tools unless I advise, as they could do more damage to your machine.

Now lets run a few scans to see what is affecting your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download the This EXE file. Save it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click the randomly named EXE file. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • Click the Save... button, and save the log as GMER-1.log
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • Click on the Save... button again, and save it this time as "GMER-2.log"
If for some reason the program hangs during the second scan, post me the contents of the first log. If it doesn't hang, then just post me the contents of the second log.

Note: Use Notepad to open the logs so you can copy them in here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.
Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download DDS and save it to your desktop from here or here or here.

Posted Image

Disable any script blocking software, and then double click dds.scr to run the tool.
  • When done, DDS will open two logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of the GMER log
  • The contents of the SySProt log
  • The contents of DDS.txt
  • Attach.txt as an attachment
Note that you may have to make two or three posts to ensure all the logs are correctly posted.

Regards,
RatHat
  • 0

#3
askey35
Posted 24 July 2009 - 05:23 PM

askey35

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
GMER-1.log 2 got hung up and system froze.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-24 08:49:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 858556DE ZwEnumerateKey
Code 859635BE ZwFlushInstructionCache
Code 85856C35 IofCallDriver
Code 853513ED IofCompleteRequest
Code 8587BDED ZwSaveKey
Code 8565A735 ZwSaveKeyEx

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kungsfiwtgxiif.sys (*** hidden *** ) [SYSTEM] kungsffifukier <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\SKYNETnypymufx.sys (*** hidden *** ) [SYSTEM] SKYNETxmkxidjr <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACdojdvjiyey.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

---------------------------------------------

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 796
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 848
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 872
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 920
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 932
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1108
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1196
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1260
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1328
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1564
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1580
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1888
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 2008
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 148
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 284
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 340
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 500
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 548
Hidden: No
Window Visible: No

Name: C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PID: 588
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 692
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 844
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wdfmgr.exe
PID: 1688
Hidden: No
Window Visible: No

Name: C:\WINDOWS\msa.exe
PID: 1488
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 2144
Hidden: No
Window Visible: No

Name: C:\Program Files\Vongo\VongoService.exe
PID: 2272
Hidden: No
Window Visible: No

Name: C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PID: 2316
Hidden: No
Window Visible: No

Name: C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PID: 2424
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2720
Hidden: No
Window Visible: No

Name: C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
PID: 2812
Hidden: No
Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 2840
Hidden: No
Window Visible: No

Name: C:\Program Files\Hp\QuickPlay\QPService.exe
PID: 2848
Hidden: No
Window Visible: No

Name: C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
PID: 2868
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PID: 2928
Hidden: No
Window Visible: No

Name: C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PID: 2976
Hidden: No
Window Visible: No

Name: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PID: 3064
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 3104
Hidden: No
Window Visible: No

Name: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 3212
Hidden: No
Window Visible: No

Name: C:\Program Files\PeerGuardian2\pg2.exe
PID: 3256
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 3312
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 3680
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
PID: 2668
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3752
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3792
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 1960
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\me.PC608619932964\Desktop\Unused Desktop Shortcuts\SysProt\SysProt\SysProt.exe
PID: 3100
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 2388
Hidden: No
Window Visible: No

Name: C:\DOCUME~1\MEA40B~1.PC6\LOCALS~1\Temp\b.exe
PID: 2176
Hidden: No
Window Visible: No

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: C:\WINDOWS\system32\drivers\kungsfiwtgxiif.sys
Service Name: kungsffifukier
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \systemroot\system32\drivers\SKYNETnypymufx.sys
Service Name: SKYNETxmkxidjr
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \systemroot\system32\drivers\UACdojdvjiyey.sys
Service Name: UACd.sys
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\me.PC608619932964\Desktop\Unused Desktop Shortcuts\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B85A0000
Module End: B85AB000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E2000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E2000
Module End: 80702C80
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7A70000
Module End: F7A72000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7980000
Module End: F7983000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7441000
Module End: F746F000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7A72000
Module End: F7A74000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7430000
Module End: F7441000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7570000
Module End: F7579000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F7580000
Module End: F758F000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F7590000
Module End: F759D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F7984000
Module End: F7987000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F7988000
Module End: F798C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7B38000
Module End: F7B39000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F77F0000
Module End: F77F7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F7A74000
Module End: F7A76000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: F7A76000
Module End: F7A78000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: F7A78000
Module End: F7A7A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F7412000
Module End: F7430000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F75A0000
Module End: F75AB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F73F3000
Module End: F7412000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: F798C000
Module End: F798F000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: F7B39000
Module End: F7B3A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F77F8000
Module End: F77FD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F75B0000
Module End: F75BD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F73DB000
Module End: F73F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\nvata.sys
Service Name: nvata
Module Base: F73C2000
Module End: F73DB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F75C0000
Module End: F75C9000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F75D0000
Module End: F75DD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: F73A3000
Module End: F73C2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F7391000
Module End: F73A3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F7800000
Module End: F7805000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F737A000
Module End: F7391000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F72ED000
Module End: F737A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F72C0000
Module End: F72ED000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Serial.sys
Service Name: Serial
Module Base: F75E0000
Module End: F75F0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F72A5000
Module End: F72C0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F75F0000
Module End: F7600000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: F7620000
Module End: F762E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
Service Name: HBtnKey
Module Base: F6A35000
Module End: F6A38000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F7630000
Module End: F7639000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F78F0000
Module End: F78F7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: F6A31000
Module End: F6A34000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Service Name: BCM43XX
Module Base: F5CAC000
Module End: F5D14000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: F592E000
Module End: F5CAC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F591A000
Module End: F592E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nvsmu.sys
Service Name: nvsmu
Module Base: F6A1D000
Module End: F6A20000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: F78F8000
Module End: F78FD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F58F7000
Module End: F591A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F7900000
Module End: F7907000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7640000
Module End: F764B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7650000
Module End: F765D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7660000
Module End: F766E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F58D4000
Module End: F58F7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F7670000
Module End: F767A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: F58C3000
Module End: F58D4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Service Name: rimmptsk
Module Base: F7908000
Module End: F7910000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Service Name: rimsptsk
Module Base: F7680000
Module End: F768D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Service Name: rismxdp
Module Base: F5877000
Module End: F58C3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F5852000
Module End: F5877000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Service Name: nvnetbus
Module Base: F7A1C000
Module End: F7A20000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Service Name: ---
Module Base: F5807000
Module End: F5852000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS
Service Name: ---
Module Base: F57D0000
Module End: F5807000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7690000
Module End: F769D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7910000
Module End: F7916000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: F57A0000
Module End: F57D0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7AAE000
Module End: F7AB0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7918000
Module End: F791E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F7A20000
Module End: F7A24000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7C16000
Module End: F7C17000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F6470000
Module End: F647D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7A24000
Module End: F7A27000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F5789000
Module End: F57A0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F6460000
Module End: F646B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F6450000
Module End: F645C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7920000
Module End: F7925000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F5750000
Module End: F5761000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F6440000
Module End: F6449000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7928000
Module End: F792D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7930000
Module End: F7935000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F6430000
Module End: F643A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7AB0000
Module End: F7AB2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F571C000
Module End: F5750000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F7A30000
Module End: F7A34000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: F7A38000
Module End: F7A3C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F6420000
Module End: F642A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: EEF83000
Module End: EEF92000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Service Name: NVENETFD
Module Base: EEF73000
Module End: EEF7C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\CHDAud.sys
Service Name: HdAudAddService
Module Base: ED348000
Module End: ED3DD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: ED324000
Module End: ED348000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: EEF63000
Module End: EEF72000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Service Name: HSFHWAZL
Module Base: ED2F1000
Module End: ED324000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Service Name: HSF_DPV
Module Base: ED1FD000
Module End: ED2F1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: ED14B000
Module End: ED1FD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: EEE70000
Module End: EEE78000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: F1348000
Module End: F134A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F1346000
Module End: F1348000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: EDC04000
Module End: EDC05000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F1344000
Module End: F1346000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: EDE2B000
Module End: EDE31000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F1342000
Module End: F1344000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F1340000
Module End: F1342000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: EDE23000
Module End: EDE28000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: EDE1B000
Module End: EDE23000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: EED4E000
Module End: EED51000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: EDDEB000
Module End: EDDF3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: EDB60000
Module End: EDB63000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: ECE62000
Module End: ECE75000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: ECE0A000
Module End: ECE62000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: ECDE2000
Module End: ECE0A000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: ECDC0000
Module End: ECDE2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: ED4B0000
Module End: ED4B9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
Service Name: eabfiltr
Module Base: EFC15000
Module End: EFC17000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: ECD94000
Module End: ECDC0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: ECD25000
Module End: ECD94000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: ED490000
Module End: ED499000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: ECD04000
Module End: ECD25000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: ED470000
Module End: ED479000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: EDE83000
Module End: EDE92000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
Service Name: NuidFltr
Module Base: F78B0000
Module End: F78B7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Service Name: ---
Module Base: F7600000
Module End: F760D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
Service Name: Wdf01000
Module Base: EE561000
Module End: EE5DC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F2E12000
Module End: F2E15000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\usbvideo.sys
Service Name: usbvideo
Module Base: EFA6B000
Module End: EFA7F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: ECCE1000
Module End: ECD04000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_nvata.sys
Service Name: ---
Module Base: ECCC8000
Module End: ECCE1000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7ADC000
Module End: F7ADE000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EFFF1000
Module End: EFFF4000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F1022000
Module End: F1027000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: ED53F000
Module End: ED540000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: F00E9000
Module End: F00ED000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B92AD000
Module End: B92DA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B9248000
Module End: B925D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EDE73000
Module End: EDE82000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B9061000
Module End: B90B3000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\mbam.sys
Service Name: MBAMProtector
Module Base: B91D7000
Module End: B91DA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: B928D000
Module End: B9291000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
Service Name: symlcbrd
Module Base: EFC69000
Module End: EFC6F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B8BE8000
Module End: B8C29000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: EDEA3000
Module End: EDEB3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
Service Name: IpFilterDriver
Module Base: B8B68000
Module End: B8B71000
Hidden: No

Module Name: \??\C:\Program Files\PeerGuardian2\pgfilter.sys
Service Name: pgfilter
Module Base: F7830000
Module End: F7836000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B8556000
Module End: B8580000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwFlushInstructionCache
At Address: 805B5642
Jump To: 8567C112
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 80622DE0
Jump To: 8567BBFA
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804EF230
Jump To: 854ABC6A
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804EF1A0
Jump To: 8567BA62
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: PC608619932964.NO.COX.NET:1245
Remote Address: AD1.P2.VIP.RM.SP1.YAHOO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1240
Remote Address: MAP-C.PIPELANE.NET:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: PC608619932964.NO.COX.NET:1239
Remote Address: DAL-AGG-N48.PANTHERCDN.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: PC608619932964.NO.COX.NET:1238
Remote Address: DAL-AGG-N48.PANTHERCDN.COM:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: CLOSE_WAIT

Local Address: PC608619932964.NO.COX.NET:1235
Remote Address: 216.178.33.50:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: PC608619932964.NO.COX.NET:1230
Remote Address: AD1.P2.VIP.RM.SP1.YAHOO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1207
Remote Address: BWCLICKB.LAS.MARCHEX.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1203
Remote Address: IP70-167-151-135.AT.AT.COX.NET:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: PC608619932964.NO.COX.NET:1200
Remote Address: CLICK.LAS.MARCHEX.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1199
Remote Address: 66.116.125.43:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1185
Remote Address: AD1.P1.VIP.RM.SP1.YAHOO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1174
Remote Address: SERVER-216-137-43-241.DFW3.CLOUDFRONT.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1165
Remote Address: AD1.P1.VIP.RM.SP1.YAHOO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1163
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1158
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1157
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1155
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1154
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1151
Remote Address: 4.23.45.126:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1150
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1146
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1143
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1141
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1137
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1136
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1135
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1134
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1133
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1126
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1125
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1124
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1121
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1119
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1118
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1116
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1114
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1113
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1112
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1111
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1110
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:KPOP
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1108
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1107
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1106
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1105
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1100
Remote Address: GEEK15.GEEKSTOGO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1095
Remote Address: 8.19.18.47:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: PC608619932964.NO.COX.NET:1086
Remote Address: MAIL1.KOENIG-SOLUTIONS.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1084
Remote Address: IP70-167-151-171.AT.AT.COX.NET:HTTP
Type: TCP
Process: C:\WINDOWS\msa.exe
State: ESTABLISHED

Local Address: PC608619932964.NO.COX.NET:1079
Remote Address: 213-133-110-21.CLIENTS.YOUR-SERVER.DE:HTTPS
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT

Local Address: PC608619932964.NO.COX.NET:1077
Remote Address: STATIC.91.213.46.78.CLIENTS.YOUR-SERVER.DE:HTTPS
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: CLOSE_WAIT

Local Address: PC608619932964.NO.COX.NET:1059
Remote Address: COOKEX1.CL1.ADS.ADX.VIP.AC4.YAHOO.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1054
Remote Address: PERFORA.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1052
Remote Address: OOL-457C89D8.DYN.OPTONLINE.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1051
Remote Address: PROJECTS.SOURCEFORGE.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1048
Remote Address: 212.100.242.237:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1046
Remote Address: OOL-457C89D8.DYN.OPTONLINE.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1045
Remote Address: OOL-457C89D8.DYN.OPTONLINE.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1044
Remote Address: PROJECTS.SOURCEFORGE.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1043
Remote Address: PROJECTS.SOURCEFORGE.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1042
Remote Address: PROJECTS.SOURCEFORGE.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1041
Remote Address: PROJECTS.SOURCEFORGE.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1040
Remote Address: PROJECTS.SOURCEFORGE.NET:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:1028
Remote Address: 64.27.1.205:HTTP
Type: TCP
Process: 688 (PID)
State: FIN_WAIT1

Local Address: PC608619932964.NO.COX.NET:1027
Remote Address: A72-246-90-10.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: PC608619932964.NO.COX.NET:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PC608619932964:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: PC608619932964:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: PC608619932964:5152
Remote Address: LOCALHOST:1089
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: PC608619932964:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: PC608619932964:1089
Remote Address: LOCALHOST:5152
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: FIN_WAIT2

Local Address: PC608619932964:1030
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: PC608619932964:2005
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Vongo\VongoService.exe
State: LISTENING

Local Address: PC608619932964:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: PC608619932964:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: PC608619932964.NO.COX.NET:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: PC608619932964.NO.COX.NET:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC608619932964.NO.COX.NET:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PC608619932964.NO.COX.NET:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: PC608619932964.NO.COX.NET:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC608619932964:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC608619932964:1087
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: PC608619932964:1026
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\msa.exe
State: NA

Local Address: PC608619932964:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: PC608619932964:58277
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: PC608619932964:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: PC608619932964:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: PC608619932964:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: PC608619932964:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}
Status: Access denied

Object: C:\WINDOWS\system32\drivers\SKYNETnypymufx.sys
Status: Hidden

Object: C:\WINDOWS\system32\drivers\UACdojdvjiyey.sys
Status: Hidden

Object: C:\WINDOWS\system32\SKYNETahjsciay.dat
Status: Hidden

Object: C:\WINDOWS\system32\SKYNETciasxbat.dat
Status: Hidden

Object: C:\WINDOWS\system32\SKYNETrvobvvix.dll
Status: Hidden

Object: C:\WINDOWS\system32\SKYNETwyvdfcag.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACafcoxrqmat.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACaxjydlssst.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACayuefvebnr.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACclybadlboh.dat
Status: Hidden

Object: C:\WINDOWS\system32\UACifkmqheaiv.db
Status: Hidden

Object: C:\WINDOWS\system32\uacinit.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACobwjcjvipk.dll
Status: Hidden

Object: C:\WINDOWS\system32\UACwcohlsqalp.dll
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETacamtrgtlq.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETadlbvpvbux.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETajdqfegdst.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETaljgynfmqv.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETaokaojmsgb.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETarbjtoevnf.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETaungupnafd.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETavqfvkcpfl.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETaxlrmanlss.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETbatytaxcdg.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETbjnugvmilo.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETbmgjmituqn.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETbpcjwxpkla.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETbqycimceth.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETbwnuaanubj.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETbwxprkpnjm.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETbxtlonyjas.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETbyuboxlkdh.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETchcvendrbj.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETchmngvxfer.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETcrrwiumais.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETcsurixloli.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETcuucuxdefy.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETcvbdmxnywq.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETcwhpehycjt.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETcxugkjbvhf.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETdctuwydmri.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETderlnvvdlt.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETdliwjhncxg.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETdooriudget.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETdtlesfsmrx.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETdwdxhjpfoy.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETeckgxujfqk.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETefirhpeahf.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETehhtgykops.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETescvxdrivt.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETesxkhumwye.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETetblchafss.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETfccieylncm.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETfddknrtytd.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETfdyjkawemt.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETfkofdriawm.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETfmqdncnlas.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETftxgflyjsq.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETgbrqskquux.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETgkwojmguyr.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETgmehorruvn.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETgopogoelcb.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETgypvwfxoya.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEThbvlxqvhkv.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEThcvibalkud.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEThmqowpnhje.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEThnfcnstsga.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEThoylhdwpse.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEThqbjlbpkhk.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETicxbpqlsbe.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETidfiturbgs.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETighkssqfoy.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETihqlunosfu.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETiqcsvfncja.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETiqjismnwmn.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETirtshneyaw.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETjaupadlqtg.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETjccrymqceh.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETjfrcmgexvl.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETjftapbdivx.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETjfyvvygbft.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETjmmbraaaar.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETjnnkutxdce.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETjsppyfdmxv.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETjsvqyxfvid.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETkhqirrnqkb.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETkokccstaql.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETkpfxjppxmk.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETkpltfibdsy.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETktxqfajmsi.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETkxdjnubpts.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETkxxrekdctf.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlbrmgdoauv.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlbsyeiesls.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlcsrjsqvek.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETldrgalvtmc.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlerpllqwlw.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlmsxuuqrnm.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlpyciokwaf.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlpyprvcdrs.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlsyoisgbxm.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETltptwmvoal.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlvpxdicsix.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlvuinptjdr.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETlyqrsydklq.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETmpdmxbhoan.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETmuutpkqpbx.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETmvejjdgodw.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETmyqvvnboqy.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnfnnsncjjs.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnghpnxjnoa.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnkatifivfn.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnkjchrajey.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnmstovmyes.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnognukfnmf.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnrcbewvqwv.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnvqbkewyss.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnvydoeyamd.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnwjxhutqre.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETnxtaucctpj.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETobckxcwnnu.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETocrlequeyy.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEToeqwnbnwjo.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETogajypkgtc.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETohuqfrmbgi.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEToijbwitfny.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETolokmstopn.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETopidgemryl.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETopxucxxhnh.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEToukfmgdyep.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETouxnwdaype.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETowhogxfjyg.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEToxhcrcjpac.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNEToyprvmbfhk.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETpcdkovwtwc.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETpdqtquqxwj.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETpieqkgghcg.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETpmlnhaepqg.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETppcjlcvqwh.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETpsyrmqnqlh.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETpuusiowslr.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETpwbwmrvfiy.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETpwcpvxnidg.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETpwkrtyiiaw.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETqbjwiqolbn.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETqbqajlktba.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETqbyhfmmmvu.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETqeltehghgr.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETqfpgfvdqcm.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETqoiskavxgx.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETqqfganoiig.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETqxsbvejiuh.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETraeeuydumt.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETrdihtkxbsb.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETrkdihhqxqg.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETrlghpymals.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETrnjvkqlloo.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETromqescigo.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETrsobaeckcq.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETrvmibwwqsu.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETryixyaigcq.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETsevrfdlhnx.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETsfonrymham.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETslocquudoi.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETsohevhnqcr.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETsqsrhcwelf.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETswptxbmblk.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETtdegnilbeo.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETtguduqweat.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETtiuinfqhfe.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETtmeqqccodj.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETtmoxmacrma.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETtpxtswqcce.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETttsinuxxkf.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETtxbiesmcyv.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETtxudteyneo.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETucnacwehhl.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETucsayeiosl.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETuhebhebmam.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETuiiunlrncy.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETuumlpuwjxt.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETvbpynwbsbh.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETvctijmrvqv.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETveujvydhjw.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETvgqoncrkck.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETvkljuqhxcm.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETvyackinfuv.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwcfrnmmpse.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwfcvjuemht.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwfteunuraj.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwfvlkjsuyl.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwhvrwvifsy.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwkedcdfnie.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwkmrdlkeup.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwnrgteesay.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwryaevofkn.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwtqaewaotb.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwuypbvtbtb.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETwxeiuaciqu.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETxcqdpeaeun.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETxeriysgqhd.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETxgojouoobi.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETxjmvmmetgh.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETxoyclawqmd.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETxulxdqtcbr.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETydjusexoyv.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETyhrtcsxait.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETykasayhvsh.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETyndwbauqri.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETyqvxssyvtu.tmp
Status: Hidden

Object: C:\WINDOWS\temp\SKYNETyripgycwxb.tmp
Status: Hidden

Object: C:\WINDOWS\temp\UACc3f.tmp
Status: Hidden

Object: C:\WINDOWS\temp\UACdb86.tmp
Status: Hidden

--------------------------
  • 0

#4
askey35
Posted 24 July 2009 - 05:24 PM

askey35

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
DDS (Ver_09-06-26.01) - NTFSx86
Run by me at 18:12:23.54 on Fri 07/24/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.489 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\me.PC608619932964\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\documents and settings\me.pc608619932964\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Monopod] c:\docume~1\mea40b~1.pc6\locals~1\temp\b.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [net] "c:\windows\system32\net.net"
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-5-8 179856]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-5-8 15504]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-26 24652]

=============== Created Last 30 ================

2009-07-23 23:08 <DIR> --d----- c:\documents and settings\me.pc608619932964\.SunDownloadManager
2009-07-23 21:49 141,312 a------- c:\windows\msa.exe
2009-07-23 21:49 140,804 a------- c:\windows\system32\msxml71.dll
2009-07-23 21:48 36,864 a------- c:\windows\system32\net.net
2009-07-23 21:36 1,176,970 a------- c:\windows\system32\xa.tmp
2009-07-20 21:31 <DIR> --d----- c:\program files\MagicDVDRipper
2009-07-19 01:02 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-14 22:32 <DIR> --d----- c:\program files\AviSynth 2.5
2009-07-14 22:32 <DIR> --d----- c:\program files\AnMing
2009-07-05 15:00 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 15:00 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-05 14:59 21,504 a------- c:\windows\system32\drivers\hidserv.dll

==================== Find3M ====================

2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-04 21:44 417,344 a------- c:\windows\system32\kungsfaqibcgbj.dat
2009-06-03 22:08 19,968 a------- c:\windows\system32\drivers\kungsfiwtgxiif.sys
2009-06-03 22:08 19,456 a------- c:\windows\system32\kungsfshcskiuw.dll
2009-06-03 22:08 22,016 a------- c:\windows\system32\kungsfiardaknw.dll
2009-06-03 20:11 45,056 a------- c:\windows\system32\lmn_setup.exe
2009-06-03 14:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 14:27 1,290,752 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 00:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 00:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-09 01:14 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-08 23:53 302 a------- c:\docume~1\mea40b~1.pc6\applic~1\wklnhst.dat
2009-05-07 10:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 10:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 16:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-04-30 16:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 16:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 16:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 16:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 16:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 16:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-04-30 06:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2006-08-27 21:33 0 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 18:14:25.82 ===============

Attached Files


  • 0

#5
RatHat
Posted 24 July 2009 - 08:13 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

OK, we have to be very careful here as you have three rootkit variants showing.

I need you to follow my instructions exactly as laid out, OK. Please print out this post and read through it full before proceeding. If there is anything you are unsure about, please ask it before starting.

Now before we go any further, lets get the recovery console installed.

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Download XP Home's Recovery Console installation file from here or here and save it to your desktop as it's originally named..

Delete the version of Combofix that you already have.

Download ComboFix from Here or Here to your Desktop.

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • Drag the Recovery Console setup package onto ComboFix.exe and drop it.
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image
  • IF THE RECOVERY CONSOLE IS NOT REPORTED AS BEING SUCCESSFULLY INSTALLED, CLICK NO WHEN PROMPTED TO RUN THE FULL SCAN. REPORT THIS BACK TO ME HERE AND DO NOT PROCEED WITH ANYTHING FURTHER!
  • If the Recovery Console is reported as successfully installed, then at the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
  • 0

#6
askey35
Posted 24 July 2009 - 09:04 PM

askey35

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
scanned it and it said it foundrootkit activity, it then rebooted the computer and finished the scan, it also told me to write down a bunch of file names. i have them if needed.


ComboFix 09-07-23.04 - me 07/24/2009 21:53.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.704 [GMT -5:00]
Running from: c:\documents and settings\me.PC608619932964\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\me.PC608619932964\Desktop\WinXP_EN_HOM_BF.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\recycler\S-1-5-21-1081432631-2308106724-2087546703-1006
c:\windows\Installer\13c42.msi
c:\windows\Installer\23bb042.msi
c:\windows\Installer\272272f.msi
c:\windows\Installer\2722738.msi
c:\windows\Installer\33c9a56a.msi
c:\windows\Installer\33c9a570.msi
c:\windows\Installer\33c9a574.msi
c:\windows\Installer\39da5bbd.msi
c:\windows\Installer\5e4f3f2.msi
c:\windows\Installer\74fbfee.msi
c:\windows\Installer\8225d88.msi
c:\windows\Installer\8225da0.msp
c:\windows\Installer\a68a01f.msi
c:\windows\Installer\a68a023.msi
c:\windows\Installer\e88430.msi
c:\windows\Installer\e88436.msi
c:\windows\msa.exe
c:\windows\system32\ammppg.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\kungsfiwtgxiif.sys
c:\windows\system32\drivers\SKYNETnypymufx.sys
c:\windows\system32\drivers\UACdojdvjiyey.sys
c:\windows\system32\kungsfaqibcgbj.dat
c:\windows\system32\kungsfiardaknw.dll
c:\windows\system32\kungsfshcskiuw.dll
c:\windows\system32\kungsfylvbtlre.dat
c:\windows\system32\lmn_setup.exe
c:\windows\system32\msxml71.dll
c:\windows\system32\net.net
c:\windows\system32\SKYNETahjsciay.dat
c:\windows\system32\SKYNETciasxbat.dat
c:\windows\system32\SKYNETrvobvvix.dll
c:\windows\system32\SKYNETwyvdfcag.dll
c:\windows\system32\UACafcoxrqmat.dll
c:\windows\system32\UACaxjydlssst.dll
c:\windows\system32\UACayuefvebnr.dll
c:\windows\system32\UACclybadlboh.dat
c:\windows\system32\UACifkmqheaiv.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACobwjcjvipk.dll
c:\windows\system32\UACwcohlsqalp.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kungsffifukier
-------\Service_SKYNETxmkxidjr
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-25 02:31 . 2009-07-25 02:32 -------- d-----w- C:\32788R22FWJFW
2009-07-24 04:08 . 2009-07-24 04:12 -------- d-----w- c:\documents and settings\me.PC608619932964\.SunDownloadManager
2009-07-21 02:31 . 2009-07-21 02:31 -------- d-----w- c:\documents and settings\me.PC608619932964\Local Settings\Application Data\MagicSoftware
2009-07-21 02:31 . 2009-07-21 02:31 -------- d-----w- c:\program files\MagicDVDRipper
2009-07-19 06:02 . 2009-07-19 06:02 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-18 20:30 . 2009-07-18 20:30 -------- d-----w- c:\documents and settings\me.PC608619932964\Local Settings\Application Data\Temp
2009-07-14 22:37 . 2009-07-14 22:57 -------- d-----w- c:\docume~1\MEA40B~1.PC6\APPLIC~1\U3
2009-07-05 19:59 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 02:30 . 2009-05-09 14:40 -------- d-----w- c:\program files\PeerGuardian2
2009-07-24 03:17 . 2009-05-09 04:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-24 03:02 . 2009-07-24 02:59 64568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-24 02:53 . 2009-05-09 03:58 -------- d-----w- c:\docume~1\MEA40B~1.PC6\APPLIC~1\uTorrent
2009-07-24 02:36 . 2009-07-24 02:36 1176970 ----a-w- c:\windows\system32\xa.tmp
2009-07-18 20:18 . 2009-07-15 03:32 -------- d-----w- c:\program files\AnMing
2009-07-15 03:32 . 2009-07-15 03:32 -------- d-----w- c:\program files\AviSynth 2.5
2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-24 01:37 . 2006-08-03 03:08 -------- d-----w- c:\program files\DIFX
2009-06-16 14:55 . 2005-10-18 05:14 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 03:11 . 2009-06-05 03:11 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-03 19:27 . 2005-08-30 11:54 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-27 03:15 . 2009-05-27 02:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AOL OCP
2009-05-27 03:14 . 2009-05-27 03:14 -------- d-----w- c:\docume~1\MEA40B~1.PC6\APPLIC~1\acccore
2009-05-27 03:14 . 2009-05-27 02:53 -------- d-----w- c:\program files\AIM6
2009-05-27 02:54 . 2009-05-27 02:54 -------- d-----w- c:\program files\Viewpoint
2009-05-27 02:54 . 2009-05-27 02:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-05-27 02:54 . 2009-05-27 02:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\acccore
2009-05-27 02:53 . 2009-05-27 02:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AOL
2009-05-27 02:53 . 2009-05-27 02:53 -------- d-----w- c:\program files\Common Files\AOL
2009-05-13 05:15 . 2004-08-04 21:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 06:14 . 2009-05-09 06:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 06:14 . 2009-05-09 06:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-05-09 04:53 . 2009-04-27 05:24 302 ----a-w- c:\docume~1\MEA40B~1.PC6\APPLIC~1\wklnhst.dat
2009-05-07 15:44 . 2004-08-04 21:00 344064 ----a-w- c:\windows\system32\localspl.dll
2006-08-28 02:33 . 2009-01-18 05:29 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\documents and settings\me.PC608619932964\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-21 7561216]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-03-26 401040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-19 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Pavilion Webcam Tray Icon.lnk
backup=c:\windows\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^me.PC608619932964^Start Menu^Programs^StartUp^FrostWire On Startup.lnk]
path=c:\documents and settings\me.PC608619932964\Start Menu\Programs\StartUp\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^me.PC608619932964^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\me.PC608619932964\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2009 11:31 PM 179856]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/26/2009 9:54 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/8/2009 11:31 PM 15504]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-net - c:\windows\system32\net.net


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 21:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???P?????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-25 22:00
ComboFix-quarantined-files.txt 2009-07-25 03:00

Pre-Run: 52,414,361,600 bytes free
Post-Run: 52,531,122,176 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

197 --- E O F --- 2009-07-15 08:00
  • 0

#7
RatHat
Posted 24 July 2009 - 09:12 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Way to go! That was very lucky.

Give me some time to go through your log and see what needs to be done next. Unfortunately I have to go out shortly, so if I can't get the next part ready, I will do it tonight.

Please keep your computer use to a minimum until I have been able to come up with the next part of your fix.

Regards,
RatHat
  • 0

#8
askey35
Posted 24 July 2009 - 09:15 PM

askey35

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK ill keep it to a minimum, the computer is still being very laggy and slow.


thanks for the help so far,

Kevin
  • 0

#9
RatHat
Posted 24 July 2009 - 09:26 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Kevin,

There is a fair bit to do yet, but the most dangerous part is (I hope) over.

Whatever you do, keep your online activities to an absolute minimum. If you can disconnect the machine from the internet except for checking back here for my reply, that would be the best.
  • 0

#10
RatHat
Posted 25 July 2009 - 04:41 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\msa.exe
c:\windows\system32\xa.tmp

KILLALL::

DirLook::
C:\WINDOWS\temp


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets try MBAM, and see what it finds.
  • Open MBAM and click on the Update tab
  • Click the Check for Updates button
  • If an update is found, it will download and install the latest version.
  • Once the update is completed, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner.
Note: You must disable your Anti Virus program during the scan. If you are unsure of how to disable these programs, please refer to this page for details.
  • Click the Accept button to agree to the disclaimer.

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded and updated click on My Computer in the Scan settings
    • This will start the scan of your system.
    • The scan will take a while so be patient and let it run until it is complete.
    • Now click on the View scan report link:
  • Click the Save report as button
  • Under Save as type, choose Text file (*.txt)
  • Save the file to your desktop as Kaspersky.txt
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download Rooter.exe to your desktop
  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have installed Windows). Post that in your next reply.

  • 0

Advertisements

#11
askey35
Posted 25 July 2009 - 08:21 PM

askey35

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Combo fix log 2


ComboFix 09-07-23.04 - me 07/25/2009 15:29.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.632 [GMT -5:00]
Running from: c:\documents and settings\me.PC608619932964\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\me.PC608619932964\Desktop\CFScript.txt

FILE ::
"c:\windows\msa.exe"
"c:\windows\system32\xa.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\xa.tmp

.
((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-25 20:27 . 2009-07-25 20:28 -------- d-----w- C:\32788R22FWJFW
2009-07-24 04:08 . 2009-07-24 04:12 -------- d-----w- c:\documents and settings\me.PC608619932964\.SunDownloadManager
2009-07-21 02:31 . 2009-07-21 02:31 -------- d-----w- c:\documents and settings\me.PC608619932964\Local Settings\Application Data\MagicSoftware
2009-07-21 02:31 . 2009-07-21 02:31 -------- d-----w- c:\program files\MagicDVDRipper
2009-07-19 06:02 . 2009-07-19 06:02 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-18 20:30 . 2009-07-18 20:30 -------- d-----w- c:\documents and settings\me.PC608619932964\Local Settings\Application Data\Temp
2009-07-14 22:37 . 2009-07-14 22:57 -------- d-----w- c:\docume~1\MEA40B~1.PC6\APPLIC~1\U3
2009-07-05 19:59 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-25 20:38 . 2009-05-09 14:40 -------- d-----w- c:\program files\PeerGuardian2
2009-07-24 03:17 . 2009-05-09 04:11 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-24 03:02 . 2009-07-24 02:59 64568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-24 02:53 . 2009-05-09 03:58 -------- d-----w- c:\docume~1\MEA40B~1.PC6\APPLIC~1\uTorrent
2009-07-18 20:18 . 2009-07-15 03:32 -------- d-----w- c:\program files\AnMing
2009-07-15 03:32 . 2009-07-15 03:32 -------- d-----w- c:\program files\AviSynth 2.5
2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-24 01:37 . 2006-08-03 03:08 -------- d-----w- c:\program files\DIFX
2009-06-16 14:55 . 2005-10-18 05:14 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 03:11 . 2009-06-05 03:11 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-03 19:27 . 2005-08-30 11:54 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-27 03:15 . 2009-05-27 02:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AOL OCP
2009-05-27 03:14 . 2009-05-27 03:14 -------- d-----w- c:\docume~1\MEA40B~1.PC6\APPLIC~1\acccore
2009-05-27 03:14 . 2009-05-27 02:53 -------- d-----w- c:\program files\AIM6
2009-05-27 02:54 . 2009-05-27 02:54 -------- d-----w- c:\program files\Viewpoint
2009-05-27 02:54 . 2009-05-27 02:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Viewpoint
2009-05-27 02:54 . 2009-05-27 02:54 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\acccore
2009-05-27 02:53 . 2009-05-27 02:53 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AOL
2009-05-27 02:53 . 2009-05-27 02:53 -------- d-----w- c:\program files\Common Files\AOL
2009-05-13 05:15 . 2004-08-04 21:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 06:14 . 2009-05-09 06:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 06:14 . 2009-05-09 06:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-05-09 04:53 . 2009-04-27 05:24 302 ----a-w- c:\docume~1\MEA40B~1.PC6\APPLIC~1\wklnhst.dat
2009-05-07 15:44 . 2004-08-04 21:00 344064 ----a-w- c:\windows\system32\localspl.dll
2006-08-28 02:33 . 2009-01-18 05:29 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\temp ----

2009-07-25 02:53 . 2009-07-25 02:53 2048 ----atw- c:\windows\temp\sqlite_NUU2qE2LMdZmr0x
2009-07-25 02:53 . 2009-07-25 02:53 16384 ----atw- c:\windows\temp\Perflib_Perfdata_7e0.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Google Update"="c:\documents and settings\me.PC608619932964\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-21 7561216]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-03-26 401040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-19 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Pavilion Webcam Tray Icon.lnk
backup=c:\windows\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^me.PC608619932964^Start Menu^Programs^StartUp^FrostWire On Startup.lnk]
path=c:\documents and settings\me.PC608619932964\Start Menu\Programs\StartUp\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^me.PC608619932964^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=c:\documents and settings\me.PC608619932964\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/8/2009 11:31 PM 179856]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/26/2009 9:54 PM 24652]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/8/2009 11:31 PM 15504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
- - - - ORPHANS REMOVED - - - -

BHO-{500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 15:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???`Y????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Vongo\VongoService.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\documents and settings\me.PC608619932964\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2009-07-25 15:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-25 20:39
ComboFix2.txt 2009-07-25 03:00

Pre-Run: 52,559,085,568 bytes free
Post-Run: 52,533,571,584 bytes free

175 --- E O F --- 2009-07-15 08:00


----------------------------------------------


MBAM LOG


Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

7/25/2009 5:10:59 PM
mbam-log-2009-07-25 (17-10-59).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 162010
Time elapsed: 33 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\lmn_setup.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\SKYNETwyvdfcag.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACobwjcjvipk.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6d05fab2-7a62-4a96-a638-2f0b6a273527}\RP51\A0006112.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6d05fab2-7a62-4a96-a638-2f0b6a273527}\RP51\A0006110.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6d05fab2-7a62-4a96-a638-2f0b6a273527}\RP51\A0006111.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6d05fab2-7a62-4a96-a638-2f0b6a273527}\RP51\A0006113.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6d05fab2-7a62-4a96-a638-2f0b6a273527}\RP84\A0007315.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6d05fab2-7a62-4a96-a638-2f0b6a273527}\RP84\A0007320.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6d05fab2-7a62-4a96-a638-2f0b6a273527}\RP84\A0007361.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6d05fab2-7a62-4a96-a638-2f0b6a273527}\RP84\A0007362.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\start menu\Programs\Startup\ChkDisk.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • 0

#12
askey35
Posted 25 July 2009 - 08:22 PM

askey35

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 26, 2009 00:14:59
Records in database: 2532990
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 91964
Threat name: 9
Infected objects: 16
Suspicious objects: 1
Duration of the scan: 02:20:20


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETnypymufx.sys.vir Infected: Rootkit.Win32.Agent.mbc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACdojdvjiyey.sys.vir Infected: Rootkit.Win32.Agent.moy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kungsfiardaknw.dll.vir Infected: Trojan-Downloader.Win32.Agent.ceyj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir Infected: Trojan-Downloader.Win32.FraudLoad.fbi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir Suspicious: Packed.Win32.PECompact 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETrvobvvix.dll.vir Infected: Trojan-Downloader.Win32.Agent.cjsg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACafcoxrqmat.dll.vir Infected: Trojan.Win32.Agent2.kyj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACaxjydlssst.dll.vir Infected: Trojan.Win32.Agent2.kym 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACayuefvebnr.dll.vir Infected: Trojan.Win32.Tdss.ajkj 1
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP84\A0007311.dll Infected: Trojan-Downloader.Win32.Agent.ceyj 1
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP84\A0007313.sys Infected: Rootkit.Win32.Agent.mbc 1
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP84\A0007314.dll Infected: Trojan-Downloader.Win32.Agent.cjsg 1
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP84\A0007316.sys Infected: Rootkit.Win32.Agent.moy 1
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP84\A0007317.dll Infected: Trojan.Win32.Tdss.ajkj 1
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP84\A0007319.dll Infected: Trojan.Win32.Agent2.kyj 1
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP84\A0007321.dll Infected: Trojan.Win32.Agent2.kym 1
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP84\A0007363.dll Infected: Trojan-Downloader.Win32.FraudLoad.fbi 1

The selected area was scanned.



-------------------------------------------

Rooter


Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 2
[32_bits] - x86 Family 15 Model 72 Stepping 2, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:82 Go - Free:48 Go )
D:\ [Fixed-FAT32] .. ( Total:9 Go - Free:1 Go )
F:\ [CD_Rom]
.
Scan : 21:17.23
Path : C:\Documents and Settings\me.PC608619932964\Desktop\Rooter.exe
User : me ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (788)
______ \??\C:\WINDOWS\system32\csrss.exe (852)
______ \??\C:\WINDOWS\system32\winlogon.exe (880)
______ C:\WINDOWS\system32\services.exe (924)
______ C:\WINDOWS\system32\lsass.exe (936)
______ C:\WINDOWS\system32\svchost.exe (1104)
______ C:\WINDOWS\system32\svchost.exe (1148)
______ C:\WINDOWS\System32\svchost.exe (1188)
______ C:\WINDOWS\system32\svchost.exe (1312)
______ C:\WINDOWS\system32\svchost.exe (1340)
______ C:\WINDOWS\system32\spoolsv.exe (1640)
______ C:\WINDOWS\system32\svchost.exe (1788)
______ C:\WINDOWS\Explorer.EXE (1896)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1952)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1964)
______ C:\Program Files\Java\jre6\bin\jqs.exe (2028)
______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (180)
______ C:\WINDOWS\system32\nvsvc32.exe (256)
______ C:\WINDOWS\system32\svchost.exe (300)
______ C:\WINDOWS\system32\wdfmgr.exe (360)
______ C:\Program Files\Viewpoint\Common\ViewpointService.exe (396)
______ C:\Program Files\Vongo\VongoService.exe (488)
______ C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (608)
______ C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (644)
______ C:\WINDOWS\System32\alg.exe (2020)
______ C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe (1308)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (1500)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (1512)
______ C:\Program Files\HP\QuickPlay\QPService.exe (1532)
______ C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (1648)
______ C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (1664)
______ C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe (2112)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2384)
______ C:\WINDOWS\system32\ctfmon.exe (2476)
______ C:\Documents and Settings\me.PC608619932964\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (2504)
______ C:\Documents and Settings\me.PC608619932964\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe (2552)
______ C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE (3284)
______ C:\Program Files\internet explorer\iexplore.exe (3780)
______ C:\Program Files\internet explorer\iexplore.exe (3872)
______ C:\Program Files\Java\jre6\bin\java.exe (1412)
______ C:\WINDOWS\system32\wuauclt.exe (3108)
______ C:\Documents and Settings\me.PC608619932964\Local Settings\Temp\jkos-me\binaries\ScanningProcess.exe (3420)
______ C:\Documents and Settings\me.PC608619932964\Local Settings\Temp\jkos-me\binaries\ScanningProcess.exe (3480)
______ C:\Program Files\internet explorer\iexplore.exe (2348)
______ C:\Documents and Settings\me.PC608619932964\Desktop\Rooter.exe (3144)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:88791865344)
\Device\Harddisk0\Partition2 (Start_Offset:88791929856 | Length:10158188544)
\Device\Harddisk0\Partition3 (Start_Offset:98950150656 | Length:1077479424)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 21:17.32
.
C:\Rooter$\Rooter_1.txt - (25/07/2009 | 21:17.33)
  • 0

#13
RatHat
Posted 26 July 2009 - 01:01 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
That looks much better now. What Kaspersky and MBAM found were items that were deleted by Combofix, and files locked in System Restore. Both are safe and will be fully removed when we uninstall Combofix.

Before we do though, please let me know how the machine is performing now, and whether you have any more problems.
  • 0

#14
RatHat
Posted 26 July 2009 - 01:03 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
That looks much better now. What Kaspersky and MBAM found were items that were deleted by Combofix, and files locked in System Restore. Both are safe and will be fully removed when we uninstall Combofix.

Before we do though, please let me know how the machine is performing now, and whether you have any more problems.
  • 0

#15
askey35
Posted 26 July 2009 - 07:35 PM

askey35

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Computer is running pretty good except with some occasional lagging and slow operation.



Thanks for all the Help,

Kevin
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP