Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected horribly [CLOSED]


  • This topic is locked This topic is locked

#1
lutyk7

lutyk7

    Member

  • Member
  • PipPip
  • 10 posts
My desktop computer is jacked up and I believe its the outerinfo spyware. The thing is I can't even run HiJack This, i double click the icon and it just pops open a dialog box for a tenth of a second and closes and i can't read it. What do I do to remove "outerinfo" sicne I can't via Add/Remove Programs?

Also I can't run Norton360 on it so I can't find it if has any viruses. I believe I have a virus that will prevent me from running any .exe programs.
With exception to downloading/running/scanning with eTrust TestPatrol Anti-Spyware which I found and quarentined 34 pests and 117 Items.

Ugh, I'm making so many edits. But the uTorrent I unistall and it pops back up after restart. and also when i restarted in safemode with networking, I was given the option to sign on as Administrator or Steph. But it hides Admin in normal mode, as in i can't switch to admin. with that being said, when I try to Cntrl Alt Delete as "Steph" it says Task Manager is restricted, contact system admin. Any ideas?

I don't care if I have to remove everything in Add/Remove Programs panel for it to work, not my computer, please help!

The Desktop allowed me to run DSS though!!

Deckard's System Scanner v20071014.68
Run by Steph on 2008-07-06 20:05:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
32: 2008-07-06 23:29:36 UTC - RP375 - Restore Operation
31: 2008-06-20 08:00:18 UTC - RP374 - Software Distribution Service 3.0
30: 2008-06-19 17:54:01 UTC - RP373 - System Checkpoint
29: 2008-06-18 16:38:14 UTC - RP372 - System Checkpoint
28: 2008-06-17 14:01:33 UTC - RP371 - System Checkpoint


-- First Restore Point --
1: 2008-05-10 05:42:30 UTC - RP344 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-06 20:06:16
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\444.471
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Common Files\AOL\1136335297\ee\aolsoftware.exe
C:\WINDOWS\system32\cssrss.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\?ymantec\spoolsv.exe
C:\Documents and Settings\Steph\Application Data\??crosoft.NET\?poolsv.exe
C:\Program Files\GetPack\GetPack19.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\mjc\mjc.exe
C:\Program Files\Sacor\Sacor.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\msswchx.exe
E:\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aimtoday.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearc...ce.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
F0 - win.ini: run=C:\WINDOWS\system32\winupdate.exe
F3 - REG:win.ini: Run=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BSM - {141FDC3C-15FB-11DD-B723-9EF855D89593} - C:\WINDOWS\system32\bsm.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: 441465 helper - {D311C486-7D5F-4D73-B791-EE56C47D3B2E} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9
B1894E754BE54C29159A7DBE80DC744B6CDE3F546CAC59B6
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\YMANTE~1\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Pitvgz] "C:\Documents and Settings\Steph\Application Data\??crosoft.NET\?poolsv.exe"
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
O4 - HKCU\..\Run: [mjc] C:\Program Files\mjc\mjc.exe
O4 - HKCU\..\Run: [Sacor] C:\Program Files\Sacor\Sacor.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O20 - Winlogon Notify: fdabadbbdccbfaed - C:\WINDOWS\system32\fdabadbbdccbfaed.dll
O21 - SSODL: nupstals - {426ed8fe-34a6-4e2c-ac92-c11364a11415} - C:\Documents and Settings\All Users\Application Data\nupstals.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.471
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 12173 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S1 ini910uu - c:\windows\system32\drivers\ini910uu.sys (file missing)
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780} - c:\windows\temp\112.tmp (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\444.471 service
R2 PlugPlayRPC (Plug and Play (RPC)) - c:\windows\portsv.exe service

S2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10BD256C&0&10F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10BD256C&0&10F0
Service:


-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-06 18:47:24 0 d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-07-06 18:47:19 0 d-------- C:\Program Files\Common Files\Scanner
2008-07-06 18:47:17 0 d-------- C:\Program Files\CA
2008-07-06 17:44:20 0 d-------- C:\Program Files\Symantec
2008-07-06 17:35:50 0 d-------- C:\Program Files\Support
2008-07-06 17:35:49 0 d-------- C:\Program Files\Supp64
2008-07-06 17:35:37 0 d-------- C:\Program Files\N360
2008-07-06 17:35:37 0 d-------- C:\Program Files\Manual
2008-07-06 17:35:37 0 d-------- C:\Program Files\EDGE
2008-07-06 16:47:38 0 d-------- C:\Documents and Settings\Steph\Application Data\uTorrent
2008-06-28 14:06:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-28 14:06:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-28 14:06:16 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-28 14:06:16 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-28 14:06:16 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-28 14:06:16 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-28 14:06:16 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-28 14:06:16 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-28 14:06:16 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-28 14:06:16 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-28 14:06:16 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-28 14:06:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-28 14:06:16 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-28 13:50:29 0 d-------- C:\Documents and Settings\Steph\Application Data\Symantec
2008-06-28 13:23:04 0 d-------- C:\Program Files\Norton 360
2008-06-28 13:19:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-28 13:15:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-28 13:10:11 0 d-------- C:\WINDOWS\system32\8581
2008-06-28 13:10:08 55808 --a------ C:\WINDOWS\portsv.exe
2008-06-28 13:06:38 0 d-------- C:\Program Files\MagicISO
2008-06-24 01:34:47 0 d-------- C:\WINDOWS\system32\441465
2008-06-22 16:35:19 0 d-------- C:\Program Files\Sacor
2008-06-22 01:34:27 88537 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-06-21 01:07:34 210123 --a------ C:\WINDOWS\system32\000080.exe
2008-06-20 07:18:48 47616 --a------ C:\WINDOWS\b156.exe
2008-06-20 03:23:37 242176 --a------ C:\WINDOWS\system32\wscmp.dll
2008-06-18 11:21:44 215040 --a------ C:\WINDOWS\b148.exe
2008-06-15 12:43:46 0 d-------- C:\Program Files\Spcron
2008-06-15 12:43:42 0 d-------- C:\Program Files\Temporary
2008-06-15 12:38:35 0 d-------- C:\Program Files\mjc
2008-06-15 12:38:35 0 d-------- C:\Program Files\InetGet2
2008-06-14 12:46:39 18944 --a------ C:\WINDOWS\y.exe
2008-06-14 12:46:39 13824 --a------ C:\WINDOWS\xplugin.dll
2008-06-14 12:46:39 18432 --a------ C:\WINDOWS\x.exe
2008-06-14 12:46:39 13312 --a------ C:\WINDOWS\winmgnt.exe
2008-06-14 12:46:39 20224 --a------ C:\WINDOWS\window.exe
2008-06-14 12:46:39 22016 --a------ C:\WINDOWS\winajbm.dll
2008-06-14 12:46:38 15360 --a------ C:\WINDOWS\win64.exe
2008-06-14 12:46:38 19200 --a------ C:\WINDOWS\win32e.exe
2008-06-14 12:46:38 16640 --a------ C:\WINDOWS\users32.exe
2008-06-14 12:46:38 8448 --a------ C:\WINDOWS\time.exe
2008-06-14 12:46:38 17664 --a------ C:\WINDOWS\systemcritical.exe
2008-06-14 12:46:38 11264 --a------ C:\WINDOWS\systeem.exe
2008-06-14 12:46:37 25088 --a------ C:\WINDOWS\svcinit.exe
2008-06-14 12:46:37 22272 --a------ C:\WINDOWS\svchost32.exe
2008-06-14 12:46:37 30720 --a------ C:\WINDOWS\searchword.dll
2008-06-14 12:46:35 15360 --a------ C:\WINDOWS\notepad32.exe
2008-06-14 12:46:35 15616 --a------ C:\WINDOWS\mtwirl32.dll
2008-06-14 12:46:35 11520 --a------ C:\WINDOWS\mswsc20.dll
2008-06-14 12:46:35 14592 --a------ C:\WINDOWS\mswsc10.dll
2008-06-14 12:46:35 32256 --a------ C:\WINDOWS\msupdate.exe
2008-06-14 12:46:34 18432 --a------ C:\WINDOWS\msspi.dll
2008-06-14 12:46:33 29184 --a------ C:\WINDOWS\internet.exe
2008-06-14 12:46:33 30464 --a------ C:\WINDOWS\inetinf.exe
2008-06-14 12:46:32 21248 --a------ C:\WINDOWS\helpcvs.exe
2008-06-14 12:46:32 32256 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-14 12:46:31 23808 --a------ C:\WINDOWS\funny.exe
2008-06-14 12:46:31 28160 --a------ C:\WINDOWS\funniest.exe
2008-06-14 12:46:31 16128 --a------ C:\WINDOWS\explorer32.exe
2008-06-14 12:46:30 25344 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-14 12:46:30 12800 --a------ C:\WINDOWS\directx32.exe
2008-06-14 12:46:30 8448 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-14 12:46:30 16640 --a------ C:\WINDOWS\cpan.dll
2008-06-14 12:46:30 15872 --a------ C:\WINDOWS\clrssn.exe
2008-06-14 12:46:28 20992 --a------ C:\WINDOWS\accesss.exe
2008-06-14 12:32:27 41984 -ra------ C:\WINDOWS\mrofinu72.exe
2008-06-14 12:32:22 0 d-------- C:\Program Files\Outerinfo
2008-06-14 12:32:22 0 d-------- C:\Program Files\GetPack
2008-06-14 12:32:20 0 d-------- C:\Documents and Settings\Steph\Application Data\??crosoft.NET
2008-06-14 12:32:18 0 d-------- C:\Program Files\QdrPack
2008-06-14 12:32:18 0 d-------- C:\Program Files\ISM
2008-06-14 12:32:13 0 d-------- C:\Program Files\iCheck
2008-06-14 12:32:13 0 d-------- C:\Program Files\GetModule
2008-06-14 12:32:10 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-06-14 12:32:09 0 d-------- C:\Program Files\?ymantec
2008-06-14 12:31:56 41984 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-06-14 12:31:50 0 d-------- C:\WINDOWS\system32\stk
2008-06-14 12:31:50 0 d-------- C:\WINDOWS\system32\mgi
2008-06-14 12:31:49 0 d-------- C:\WINDOWS\system32\1039a
2008-06-14 12:31:48 0 d-------- C:\WINDOWS\system32\netrax06
2008-06-14 12:31:48 0 d-------- C:\Temp
2008-06-14 12:31:47 135168 --a------ C:\Documents and Settings\All Users\Application Data\nupstals.dll
2008-06-14 12:31:30 0 d-------- C:\Program Files\uTorrent
2008-06-14 12:31:24 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-13 22:44:23 229516 --a------ C:\WINDOWS\system32\000070.exe
2008-06-13 15:12:54 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-06-13 09:05:04 95232 --a------ C:\WINDOWS\b152.exe
2008-06-06 19:12:34 56 -r-hs---- C:\WINDOWS\system32\08894058B6.sys


-- Find3M Report ---------------------------------------------------------------

2008-07-06 19:43:47 0 d-------- C:\Program Files\Common Files
2008-07-06 15:49:29 0 d-------- C:\Program Files\Dell
2008-06-30 11:05:22 113169 --a------ C:\WINDOWS\system32\fdabadbbdccbfaed.dll
2008-06-28 14:09:09 0 d-------- C:\Program Files\Common Files\AOL
2008-06-21 12:55:45 0 d-------- C:\Program Files\PokerStars
2008-06-14 12:32:20 0 d-------- C:\Documents and Settings\Steph\Application Data\??crosoft.NET
2008-06-14 12:32:09 0 d-------- C:\Program Files\?ymantec
2008-06-11 21:16:29 0 d-------- C:\Documents and Settings\Steph\Application Data\Adobe
2008-06-06 19:12:35 4548 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-30 17:59:05 56 -r-hs---- C:\WINDOWS\system32\F8FA12BE0D.sys
2008-05-30 06:40:01 542208 --a------ C:\WINDOWS\b159.exe
2008-05-22 03:01:33 0 d-------- C:\Program Files\MSXML 4.0
2008-05-12 05:43:37 68096 --a------ C:\WINDOWS\b155.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{141FDC3C-15FB-11DD-B723-9EF855D89593}]
05/06/2005 01:24 AM 65041 --a------ C:\WINDOWS\system32\bsm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D311C486-7D5F-4D73-B791-EE56C47D3B2E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/05/2005 07:22 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/05/2005 07:19 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/05/2005 07:23 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 09:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 05:19 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [11/14/2005 03:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/14/2005 03:08 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 02:05 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 11:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 02:02 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 08:20 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 10:26 PM]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [07/11/2003 02:51 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [12/10/2003 05:52 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe" [11/02/2005 10:01 PM]
"runner1"="C:\WINDOWS\mrofinu72.exe" [06/05/2008 04:57 PM]
"runner1"="C:\WINDOWS\mrofinu72.exe" [06/05/2008 04:57 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 04:59 PM]
"TP CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" [02/08/2007 09:30 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [11/02/2005 10:01 PM]
"Microsoft Windows Installer"="C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe" [06/14/2008 12:31 PM]
"Sen"="C:\PROGRA~1\YMANTE~1\spoolsv.exe" [06/14/2008 12:32 PM]
"Pitvgz"="C:\Documents and Settings\Steph\Application Data\??crosoft.NET\?poolsv.exe" [05/29/2008 01:35 PM]
"GetPack19"="C:\Program Files\GetPack\GetPack19.exe" [06/17/2008 04:56 AM]
"GetModule19"="C:\Program Files\GetModule\GetModule19.exe" [06/17/2008 04:58 AM]
"mjc"="C:\Program Files\mjc\mjc.exe" [06/22/2008 04:30 PM]
"Sacor"="C:\Program Files\Sacor\Sacor.exe" [06/22/2008 04:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [11/14/2005 3:07:29 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/12/2005 1:49:24 AM]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [1/3/2006 7:23:15 PM]
WinZip Quick Pick.lnk - E:\Programs\WinZip\WZQKPICK.EXE [2/11/2006 10:27:13 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nupstals"= {426ed8fe-34a6-4e2c-ac92-c11364a11415} - C:\Documents and Settings\All Users\Application Data\nupstals.dll [06/14/2008 12:31 PM 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdabadbbdccbfaed]
C:\WINDOWS\system32\fdabadbbdccbfaed.dll 06/30/2008 11:05 AM 113169 C:\WINDOWS\system32\fdabadbbdccbfaed.dll

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-07-06 20:07:02 ------------





Extra!!

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 502.07 MiB / 197.1 MiB
Pagefile Memory (total/avail): 1227.39 MiB / 899.8 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.82 MiB

C: is Fixed (NTFS) - 145.96 GiB total, 134.44 GiB free.
D: is CDROM (No Media)
E: is Fixed (FAT32) - 465.64 GiB total, 335.97 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD1600JS-75NCB1 - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 145.96 GiB - C:
\PARTITION2 - Unknown - 3 GiB

\\.\PHYSICALDRIVE1 - WDC WD50 00AAJB-00UHA0 USB Device - 465.76 GiB - 1 partition
\PARTITION0 - Unknown - 465.75 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation)
AV: Trend Micro PC-cillin Internet Security v12.7.1019 (Trend Micro, Inc.) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"="c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1136335297\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1136335297\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1136335297\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1136335297\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\DOCUME~1\\Steph\\LOCALS~1\\Temp\\grws.exe"="C:\\DOCUME~1\\Steph\\LOCALS~1\\Temp\\grws.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Steph\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=STEPHANIE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Steph
LOGONSERVER=\\STEPHANIE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Steph\LOCALS~1\Temp
TMP=C:\DOCUME~1\Steph\LOCALS~1\Temp
USERDOMAIN=STEPHANIE
USERNAME=Steph
USERPROFILE=C:\Documents and Settings\Steph
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Steph (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\SBC Yahoo!\umuninst.exe" /S
--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> C:\PROGRA~1\Yahoo!\browser\unyb.exe
--> C:\PROGRA~1\Yahoo!\common\unwise.exe /S C:\PROGRA~1\Yahoo!\common\install.log
--> C:\PROGRA~1\Yahoo!\common\unybase.exe
--> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\common\yaddbook.dll
--> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\common\ylogin.dll
--> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\common\ymmapi.dll
--> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\yhexbmes.dll
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> regsvr32 /s /u C:\PROGRA~1\Yahoo!\common\YCOMP5~1.DLL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Bejeweled 2 Deluxe --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\989E4C3B-B2C9-4486-9A09-D5A8F953837C\Uninstall.exe"
Bejeweled 2 Deluxe 1.0 --> C:\Program Files\Yahoo! Games\Bejeweled 2 Deluxe\PopUninstall.exe "C:\Program Files\Yahoo! Games\Bejeweled 2 Deluxe\Install.log"
Blasterball 2 --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\D1A6F3FD-7B40-443F-8767-BADB25A0D222\Uninstall.exe"
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Game Console --> "C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe"
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC}
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
GearDrvs --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HP Deskjet 5400 series --> C:\Program Files\HP\Digital Imaging\{EB57A16E-500D-43d7-85B9-FBE279EBBA6E}\setup\hpzscr01.exe -datfile hpfscr05.dat
HP Extended Capabilities 5.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 5.0 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 5.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Internet Speed Monitor --> C:\Program Files\iCheck\Uninstall.exe
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Magic ISO Maker v5.5 (build 0261) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
MyWay Search Assistant --> MsiExec.exe /X{E7559288-223B-453C-9F06-340E3BE21E39}
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_0_0_184\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
PestPatrolv5 --> MsiExec.exe /X{39586F4F-758D-4A92-A5DF-33E9DB9C09D9}
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
PokerStars --> "C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
Polar Bowler --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3\Uninstall.exe"
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Sacor --> "C:\Program Files\Sacor\Sacor.exe" -uninstall
SBC Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
SBC Yahoo! Applications --> C:\Program Files\SBC Yahoo!\UninstallManager.exe
SCRABBLE --> "C:\Program Files\WildTangent\Apps\GameChannel\Games\6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA\Uninstall.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type6343 / Error
Event Submitted/Written: 07/06/2008 07:50:41 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Sonic Update Manager -- Error 1706. An installation package for the product Sonic Update Manager cannot be found. Try the installation again using a valid copy of the installation package 'UM.MSI'.

Event Record #/Type6339 / Warning
Event Submitted/Written: 07/06/2008 07:48:41 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{30465B6C-B53F-49A1-9EBA-A3F187AD502E}', feature 'SoleFeature' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Event Record #/Type6338 / Warning
Event Submitted/Written: 07/06/2008 07:48:41 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{30465B6C-B53F-49A1-9EBA-A3F187AD502E}', feature 'SoleFeature', component '{B7195B4D-220F-4055-B216-675DFB956538}' failed. The resource 'C:\Program Files\Common Files\InstallShield\UpdateService\_ispmres.dll' does not exist.

Event Record #/Type6336 / Error
Event Submitted/Written: 07/06/2008 07:48:41 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Sonic Update Manager -- Error 1706. An installation package for the product Sonic Update Manager cannot be found. Try the installation again using a valid copy of the installation package 'UM.MSI'.

Event Record #/Type6334 / Warning
Event Submitted/Written: 07/06/2008 07:48:27 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{30465B6C-B53F-49A1-9EBA-A3F187AD502E}', feature 'SoleFeature' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type583939 / Error
Event Submitted/Written: 07/06/2008 07:50:41 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {FFF2D28F-E4EE-44D9-8104-8E71556757F6} did not register with DCOM within the required timeout.

Event Record #/Type583897 / Error
Event Submitted/Written: 07/06/2008 07:47:58 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Trend Micro Central Control Component service failed to start due to the following error:
%%2

Event Record #/Type583891 / Error
Event Submitted/Written: 07/06/2008 07:44:25 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type583888 / Error
Event Submitted/Written: 07/06/2008 07:44:25 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type583885 / Error
Event Submitted/Written: 07/06/2008 07:44:25 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126



-- End of Deckard's System Scanner: finished at 2008-07-06 20:07:02 ------------

Edited by lutyk7, 06 July 2008 - 07:21 PM.

  • 0

Advertisements


#2
lutyk7

lutyk7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Any hope?
  • 0

#3
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi lutyk7,

Welcome to Geeks to Go!
I am sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
SDFix
Malwarebytes' Anti-Malware from Here or Here


Run SDFix:
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save it as C:\SDFix\Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).


Run Malwarebytes' Anti-Malware:
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Save the entire report as C:\mbam.txt
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Re-run Deckard's System Scanner:
  • Close all other windows before proceeding.
  • Double click on the dss.exe file on your Desktop and follow the prompts.
  • Scans will run, and 1 text file will open in Notepad.
  • Close the text file.
This file is a new version of C:\Deckard\System Scanner\main.txt


Please post me the text from
  • C:\SDFix\Report.txt
  • C:\mbam.txt
  • C:\Deckard\System Scanner\main.txt


The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

Cheers,

sage5
  • 0

#4
lutyk7

lutyk7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
SDFix








SDFix: Version 1.205
Run by Steph on Sun 07/13/2008 at 04:26 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MsSecurity1.209.4
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

Path :
C:\WINDOWS\444.471 service
\??\C:\WINDOWS\TEMP\112.tmp

MsSecurity1.209.4 - Deleted
{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Restoring Default IE Search Pages

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\Steph\Desktop\BDSM galleries.URL - Deleted
C:\Documents and Settings\Steph\Desktop\Unused Desktop Shortcuts\BDSM galleries.URL - Deleted
C:\Documents and Settings\Steph\Desktop\CP illegal content.URL - Deleted
C:\Documents and Settings\Steph\Desktop\Unused Desktop Shortcuts\CP illegal content.URL - Deleted
C:\Documents and Settings\Steph\Desktop\Uncensored porn.URL - Deleted
C:\Documents and Settings\Steph\Desktop\Unused Desktop Shortcuts\Uncensored porn.URL - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\system32\netrax06\netrax061083.exe - Deleted
C:\WINDOWS\system32\mgi\htUIDll.exe - Deleted
C:\WINDOWS\system32\stk\stuxderr.exe - Deleted
C:\Program Files\GetModule\dicik.gz - Deleted
C:\Program Files\GetModule\GetModule18.exe - Deleted
C:\Program Files\GetModule\GetModule19.exe - Deleted
C:\Program Files\GetModule\kwdik.gz - Deleted
C:\Program Files\GetModule\pckik.dat - Deleted
C:\Program Files\GetPack\dictame.gz - Deleted
C:\Program Files\GetPack\GetPack18.exe - Deleted
C:\Program Files\GetPack\GetPack19.exe - Deleted
C:\Program Files\GetPack\trgtame.gz - Deleted
C:\Program Files\iCheck\iCheck.exe - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\Program Files\mjc\mjc.exe - Deleted
C:\Program Files\QdrPack\bostrupd.exe - Deleted
C:\Program Files\QdrPack\QdrPack17.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b148.exe - Deleted
C:\WINDOWS\b152.exe - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\WINDOWS\b156.exe - Deleted
C:\WINDOWS\b159.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu72.exe - Deleted
C:\WINDOWS\mrofinu72.exe.tmp - Deleted
C:\WINDOWS\system32\000070.exe - Deleted
C:\WINDOWS\system32\000080.exe - Deleted
C:\WINDOWS\system32\sex1.ico - Deleted
C:\WINDOWS\system32\sex2.ico - Deleted
C:\WINDOWS\system32\sex3.ico - Deleted
C:\WINDOWS\system32\sex1.ico.tmp - Deleted
C:\WINDOWS\system32\sex2.ico.tmp - Deleted
C:\WINDOWS\system32\sex3.ico.tmp - Deleted
C:\Program Files\Setup.exe - Deleted
C:\WINDOWS\accesss.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\browser.exe - Deleted
C:\WINDOWS\clrssn.exe - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\msupdate.exe - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\mtwirl32.dll - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\notepad32.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\systeem.exe - Deleted
C:\WINDOWS\systemcritical.exe - Deleted
C:\WINDOWS\system32\441465\441465.dll - Deleted
C:\WINDOWS\system32\bsm.dll - Deleted
C:\WINDOWS\system32\cssrss.exe - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\update32.exe.tmp - Deleted
C:\WINDOWS\system32\winupdate.exe - Deleted
C:\WINDOWS\system32\wscmp.dll - Deleted
C:\WINDOWS\system32\wscmp.dll.tmp - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\users32.exe - Deleted
C:\WINDOWS\win32e.exe - Deleted
C:\WINDOWS\win64.exe - Deleted
C:\WINDOWS\winajbm.dll - Deleted
C:\WINDOWS\window.exe - Deleted
C:\WINDOWS\winmgnt.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$

Folder C:\Program Files\GetModule - Removed
Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\ISM - Removed
Folder C:\Program Files\mjc - Removed
Folder C:\Program Files\QdrPack - Removed
Folder C:\Program Files\Spcron - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\1cb - Removed
Folder C:\WINDOWS\system32\1039a - Removed
Folder C:\WINDOWS\system32\441465 - Removed
Folder C:\WINDOWS\system32\mgi - Removed
Folder C:\WINDOWS\system32\netrax06 - Removed
Folder C:\WINDOWS\system32\stk - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-13 16:41:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000086
"TracesSuccessful"=dword:00000002

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"="c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1136335297\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1136335297\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1136335297\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1136335297\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ćTorrent"
"C:\\DOCUME~1\\Steph\\LOCALS~1\\Temp\\grws.exe"="C:\\DOCUME~1\\Steph\\LOCALS~1\\Temp\\grws.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 23 Nov 2005 56 A.SHR --- "C:\i386\F8FA12BE0D.sys"
Wed 23 Nov 2005 2,516 A.SH. --- "C:\i386\KGyGaAvL.sys"
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Sat 14 Jun 2008 89,088 ..SHR --- "C:\Program Files\?ymantec\spoolsv.exe"
Fri 6 Jun 2008 56 ..SHR --- "C:\WINDOWS\system32\08894058B6.sys"
Fri 30 May 2008 56 ..SHR --- "C:\WINDOWS\system32\F8FA12BE0D.sys"
Fri 6 Jun 2008 4,548 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 19 Feb 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 29 May 2008 230,400 ..SHR --- "C:\Documents and Settings\Steph\Application Data\??crosoft.NET\?poolsv.exe"
Tue 3 Jan 2006 2,167 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Mon 14 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Mon 14 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Mon 14 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"

Finished!
  • 0

#5
lutyk7

lutyk7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
MBAM




Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

4:50:24 PM 7/13/2008
mbam-log-7-13-2008 (16-50-24).txt

Scan type: Quick Scan
Objects scanned: 39502
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 10
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 13

Memory Processes Infected:
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Unloaded process successfully.
C:\Program Files\Sacor\Sacor.exe (Trojan.Clicker) -> Unloaded process successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Unloaded process successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Unloaded process successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Unloaded process successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Unloaded process successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Unloaded process successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Unloaded process successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Unloaded process successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWay) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{6f4a6974-15fb-11dd-948a-c8fc55d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{74199ec0-15fb-11dd-b03f-fbfc55d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{4d25f920-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sacor (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft windows installer (Trojan.DownLoader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sacor (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearc...com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearc...com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Sacor (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\29464.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Program Files\Sacor\Sacor.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWay) -> Delete on reboot.
C:\WINDOWS\system32\ntload.dll (Trojan.Qqpass) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\FF.dll (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\PowerAdvisory v1.0.14.torrent (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\PowerAdvisory v1.0.14.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steph\Application Data\Microsoft\dtsc\s (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\{6e4901c3-be05-4fde-3c25-dedcf45f31ad}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

#6
lutyk7

lutyk7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Deckard's System Scanner v20071014.68
Run by Steph on 2008-07-13 16:55:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-13 16:55:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\AOL\1136335297\ee\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SYMCUW.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\?ymantec\spoolsv.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Documents and Settings\Steph\Application Data\??crosoft.NET\?poolsv.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
E:\dss.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.mywa...idebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aimtoday.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\YMANTE~1\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Pitvgz] "C:\Documents and Settings\Steph\Application Data\??crosoft.NET\?poolsv.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O20 - Winlogon Notify: fdabadbbdccbfaed - C:\WINDOWS\system32\fdabadbbdccbfaed.dll
O21 - SSODL: nupstals - {426ed8fe-34a6-4e2c-ac92-c11364a11415} - C:\Documents and Settings\All Users\Application Data\nupstals.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 9636 bytes

-- Files created between 2008-06-13 and 2008-07-13 -----------------------------

2008-07-13 16:45:45 0 d-------- C:\Documents and Settings\Steph\Application Data\Malwarebytes
2008-07-13 16:45:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 16:45:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 16:23:53 0 d-------- C:\WINDOWS\ERUNT
2008-07-06 18:47:24 0 d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-07-06 18:47:19 0 d-------- C:\Program Files\Common Files\Scanner
2008-07-06 18:47:17 0 d-------- C:\Program Files\CA
2008-07-06 17:44:20 0 d-------- C:\Program Files\Symantec
2008-07-06 17:35:50 0 d-------- C:\Program Files\Support
2008-07-06 17:35:49 0 d-------- C:\Program Files\Supp64
2008-07-06 17:35:37 0 d-------- C:\Program Files\N360
2008-07-06 17:35:37 0 d-------- C:\Program Files\Manual
2008-07-06 17:35:37 0 d-------- C:\Program Files\EDGE
2008-07-06 16:47:38 0 d-------- C:\Documents and Settings\Steph\Application Data\uTorrent
2008-06-28 14:06:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-28 14:06:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-28 14:06:16 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-28 14:06:16 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-28 14:06:16 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-28 14:06:16 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-28 14:06:16 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-28 14:06:16 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-28 14:06:16 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-28 14:06:16 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-28 14:06:16 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-28 14:06:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-28 14:06:16 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-28 13:50:29 0 d-------- C:\Documents and Settings\Steph\Application Data\Symantec
2008-06-28 13:23:04 0 d-------- C:\Program Files\Norton 360
2008-06-28 13:19:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-28 13:15:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-28 13:10:11 0 d-------- C:\WINDOWS\system32\8581
2008-06-28 13:10:08 55808 --a------ C:\WINDOWS\portsv.exe
2008-06-28 13:06:38 0 d-------- C:\Program Files\MagicISO
2008-06-14 12:32:20 0 d-------- C:\Documents and Settings\Steph\Application Data\??crosoft.NET
2008-06-14 12:32:09 0 d-------- C:\Program Files\?ymantec
2008-06-14 12:31:48 0 d-------- C:\Temp
2008-06-14 12:31:47 135168 --a------ C:\Documents and Settings\All Users\Application Data\nupstals.dll
2008-06-14 12:31:30 0 d-------- C:\Program Files\uTorrent


-- Find3M Report ---------------------------------------------------------------

2008-07-13 16:35:58 0 d-------- C:\Program Files\Common Files
2008-07-06 15:49:29 0 d-------- C:\Program Files\Dell
2008-06-30 11:05:22 113169 --a------ C:\WINDOWS\system32\fdabadbbdccbfaed.dll
2008-06-28 14:09:09 0 d-------- C:\Program Files\Common Files\AOL
2008-06-21 12:55:45 0 d-------- C:\Program Files\PokerStars
2008-06-14 12:32:20 0 d-------- C:\Documents and Settings\Steph\Application Data\??crosoft.NET
2008-06-14 12:32:09 0 d-------- C:\Program Files\?ymantec
2008-06-11 21:16:29 0 d-------- C:\Documents and Settings\Steph\Application Data\Adobe
2008-06-06 19:12:35 4548 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-06 19:12:35 56 -r-hs---- C:\WINDOWS\system32\08894058B6.sys
2008-05-30 17:59:05 56 -r-hs---- C:\WINDOWS\system32\F8FA12BE0D.sys
2008-05-22 03:01:33 0 d-------- C:\Program Files\MSXML 4.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/05/2005 07:22 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/05/2005 07:19 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/05/2005 07:23 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 09:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 05:19 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [11/14/2005 03:07 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/14/2005 03:08 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 02:05 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 11:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 02:02 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 08:20 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [09/10/2002 10:26 PM]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [07/11/2003 02:51 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [12/10/2003 05:52 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe" [11/02/2005 10:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 04:59 PM]
"TP CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" [02/08/2007 09:30 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [11/02/2005 10:01 PM]
"Sen"="C:\PROGRA~1\YMANTE~1\spoolsv.exe" [06/14/2008 12:32 PM]
"Pitvgz"="C:\Documents and Settings\Steph\Application Data\??crosoft.NET\?poolsv.exe" [05/29/2008 01:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [11/14/2005 3:07:29 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/12/2005 1:49:24 AM]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [1/3/2006 7:23:15 PM]
WinZip Quick Pick.lnk - E:\Programs\WinZip\WZQKPICK.EXE [2/11/2006 10:27:13 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nupstals"= {426ed8fe-34a6-4e2c-ac92-c11364a11415} - C:\Documents and Settings\All Users\Application Data\nupstals.dll [06/14/2008 12:31 PM 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdabadbbdccbfaed]
C:\WINDOWS\system32\fdabadbbdccbfaed.dll 06/30/2008 11:05 AM 113169 C:\WINDOWS\system32\fdabadbbdccbfaed.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-07-13 16:55:38 ------------
  • 0

#7
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi lutyk7,

There are traces of an MBR rootkit here so we will check that first:
Please download the following & save to your Desktop:
GMER's MBR.exe

Double click on the MBR.exe file to run it.
A log will be produced, & saved to the desktop, called MBR.log.
Please open this log in Notepad and post its contents in your next reply.

Edited by sage5, 13 July 2008 - 05:40 PM.

  • 0

#8
lutyk7

lutyk7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I used two different versions:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x12a050fc size 0x1e4 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


AND

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-16 07:15:23
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 81F9C8E0 ZwAlertResumeThread
SSDT 81F9CC08 ZwAlertThread
SSDT 820FFD40 ZwAllocateVirtualMemory
SSDT 822A9910 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAA3BF7D0]
SSDT 81F99388 ZwCreateMutant
SSDT 82029B90 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAA3BFA40]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA3C0100]
SSDT 81FBBD90 ZwFreeVirtualMemory
SSDT 81F99E38 ZwImpersonateAnonymousToken
SSDT 81F9C420 ZwImpersonateThread
SSDT 82002500 ZwMapViewOfSection
SSDT 822D07D8 ZwOpenEvent
SSDT 81FBC9A8 ZwOpenProcessToken
SSDT 81FAE178 ZwOpenThreadToken
SSDT 82017288 ZwResumeThread
SSDT 81FAC448 ZwSetContextThread
SSDT 81FB8F10 ZwSetInformationProcess
SSDT 81FA90C0 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA3C0330]
SSDT 822D3E00 ZwSuspendProcess
SSDT 81F9D130 ZwSuspendThread
SSDT 81FBD978 ZwTerminateProcess
SSDT 81FA8A88 ZwTerminateThread
SSDT 81FBACF0 ZwUnmapViewOfSection
SSDT 820E5AE8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F84BC4B2 4 Bytes [ 32, 10, 9D, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F84BC4BD 4 Bytes [ 36, CF, 9C, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F84BC4C8 4 Bytes [ 44, 10, 9D, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F84BC4CF 4 Bytes [ 38, 10, 9D, 81 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F84BC4D6 4 Bytes [ 3E, 10, 9D, 81 ]
PAGE ...
? drvmcdb.sys The system cannot find the file specified. !
? system32\drivers\sscdbhk5.sys The system cannot find the file specified. !
? system32\drivers\ssrtln.sys The system cannot find the file specified. !
? system32\drivers\drvnddm.sys The system cannot find the file specified. !
? system32\dla\tfsndres.sys The system cannot find the file specified. !
? system32\dla\tfsnifs.sys The system cannot find the file specified. !
? system32\dla\tfsnopio.sys The system cannot find the file specified. !
? system32\dla\tfsnpool.sys The system cannot find the file specified. !
? system32\dla\tfsnboio.sys The system cannot find the file specified. !
? system32\dla\tfsncofs.sys The system cannot find the file specified. !
? system32\dla\tfsndrct.sys The system cannot find the file specified. !
? system32\dla\tfsnudf.sys The system cannot find the file specified. !
? system32\dla\tfsnudfa.sys The system cannot find the file specified. !
? C:\DOCUME~1\Steph\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[1436] ADVAPI32.dll!CryptDestroyKey 77DEA544 7 Bytes JMP 01362C2D
.text C:\WINDOWS\Explorer.EXE[1436] ADVAPI32.dll!CryptDecrypt 77DEA7B1 7 Bytes JMP 01362BEA
.text C:\WINDOWS\Explorer.EXE[1436] ADVAPI32.dll!CryptEncrypt 77DF1558 7 Bytes JMP 01362BAE
.text C:\WINDOWS\Explorer.EXE[1436] WS2_32.dll!send 71AB428A 5 Bytes JMP 01362A1F
.text C:\WINDOWS\Explorer.EXE[1436] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01362B11
.text C:\WINDOWS\Explorer.EXE[1436] WS2_32.dll!recv 71AB615A 5 Bytes JMP 01362A57
.text C:\WINDOWS\Explorer.EXE[1436] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01362A8F
.text C:\WINDOWS\Explorer.EXE[1436] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01362B93
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 10019A00 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 10019A38 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 10019994 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!AdjustWindowRectEx 7E420272 5 Bytes JMP 10019E11 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!GetScrollInfo 7E420DA2 7 Bytes JMP 10019943 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!ShowScrollBar 7E42F2B3 5 Bytes JMP 100199E5 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!GetScrollPos 7E42F6C4 5 Bytes JMP 1001995E C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!SetScrollPos 7E42F710 5 Bytes JMP 100199AF C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!GetScrollRange 7E42F747 5 Bytes JMP 10019979 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!SetScrollRange 7E42F95B 5 Bytes JMP 100199CA C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!AdjustWindowRect 7E431100 5 Bytes JMP 10019D36 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2252] USER32.dll!EnableScrollBar 7E467DDD 7 Bytes JMP 10019928 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 10019A00 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 10019A38 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 10019994 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!AdjustWindowRectEx 7E420272 5 Bytes JMP 10019E11 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!GetScrollInfo 7E420DA2 7 Bytes JMP 10019943 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!ShowScrollBar 7E42F2B3 5 Bytes JMP 100199E5 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!GetScrollPos 7E42F6C4 5 Bytes JMP 1001995E C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!SetScrollPos 7E42F710 5 Bytes JMP 100199AF C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!GetScrollRange 7E42F747 5 Bytes JMP 10019979 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!SetScrollRange 7E42F95B 5 Bytes JMP 100199CA C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!AdjustWindowRect 7E431100 5 Bytes JMP 10019D36 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCUW.exe[3040] USER32.dll!EnableScrollBar 7E467DDD 7 Bytes JMP 10019928 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9923] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe[2208] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9875] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/America Online, Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Cdrom \Device\CdRom0 819D1032

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Disk \Device\Harddisk0\DR0 819D1032

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Disk \Device\Harddisk1\DR8 819D1032

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys

---- Threads - GMER 1.0.14 ----

Thread 4:3004 81A03CF0
Thread 4:3204 819F0DF0
Thread 4:3988 81A3A260
Thread 4:4060 819DCE70
---- Processes - GMER 1.0.14 ----

Library C:\Documents and Settings\Steph\Application Data\ (*** hidden *** ) @ C:\Documents [2696] 0x00400000

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x12a050fc size 0x1e4
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.14 ----
  • 0

#9
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
I think in this circumstance we will use a neat trick to get the recovery console installed:

Download the following & save to the Desktop:
ComboFix

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the setup package & save it as originally named, next to ComboFix.exe.
Close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.

Posted Image

  • Follow the prompts to start ComboFix and agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • Click Yes at the window labelled What's next ? to continue with the scan.
  • When complete, a log named C:\Combofix.txt will open. Close that file, I will ask you to post the contents of that log as your next reply.

    NOTE: Now, when you boot your PC, there is a 2 second boot screen that allows you to either boot to Windows or use the Recovery Console.
  • Reboot the PC
  • Using the arrow keys on your keyboard select the Recovery Console option.
  • When you are prompted, type the Administrator password. (The administrator password is probably blank, so press Enter.)
  • At the command prompt, type the following: mbr.exe -f (There is a space between the e & the -)

Reboot the PC & send me the text from the C:\Combofix.txt files as your next reply.

Cheers,

sage5
  • 0

#10
lutyk7

lutyk7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Couple things happened.

1. The combofix ran great, restarted and everything. Restarted to Windows Recovery Mode, and I didn't know I had to select my hard drive. So I hit ESC and the Windows booted up. I got a log file, but I didn't run mbr.exe -f.

2. I deleted Windows Recovery Mode, repeated your steps with the Combofix. Now I chose the hard drive, got to the command prompt and it said it couldn't find mbr.exe -f. So Windows booted and produced a log. Any ideas? Thanks in advance.
  • 0

Advertisements


#11
lutyk7

lutyk7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I tried some things myself, cleaned up a bit, how does it look? gmer finds 2 sectors but i don't think they are root kits.

DSS:

Deckard's System Scanner v20071014.68
Run by Steph on 2008-07-18 12:18:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-18 12:19:15
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
E:\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aimtoday.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnceEx: [Flags] 128
O4 - HKLM\..\RunOnceEx: [Title] UnHackMe Rootkit Check
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O21 - SSODL: nupstals - {426ed8fe-34a6-4e2c-ac92-c11364a11415} - C:\Documents and Settings\All Users\Application Data\nupstals.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


--
End of file - 5533 bytes

-- Files created between 2008-06-18 and 2008-07-18 -----------------------------

2008-07-18 11:34:44 0 d-------- C:\WINDOWS\pss
2008-07-18 11:13:08 0 d-------- C:\cmdcons
2008-07-18 10:53:57 68096 --a------ C:\WINDOWS\zip.exe
2008-07-18 10:53:57 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-18 10:53:57 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-18 10:53:57 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-18 10:53:57 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-18 10:53:57 98816 --a------ C:\WINDOWS\sed.exe
2008-07-18 10:53:57 80412 --a------ C:\WINDOWS\grep.exe
2008-07-18 10:53:57 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-13 16:45:45 0 d-------- C:\Documents and Settings\Steph\Application Data\Malwarebytes
2008-07-13 16:45:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-13 16:45:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-13 16:23:53 0 d-------- C:\WINDOWS\ERUNT
2008-07-06 17:35:50 0 d-------- C:\Program Files\Support
2008-07-06 17:35:49 0 d-------- C:\Program Files\Supp64
2008-07-06 17:35:37 0 d-------- C:\Program Files\N360
2008-07-06 17:35:37 0 d-------- C:\Program Files\Manual
2008-07-06 17:35:37 0 d-------- C:\Program Files\EDGE
2008-06-28 14:06:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-28 14:06:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-28 14:06:16 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-28 14:06:16 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-28 14:06:16 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-28 14:06:16 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-28 14:06:16 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-28 14:06:16 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-28 14:06:16 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-28 14:06:16 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-28 14:06:16 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-28 14:06:16 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-28 14:06:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-06-28 14:06:16 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-28 13:50:29 0 d-------- C:\Documents and Settings\Steph\Application Data\Symantec
2008-06-28 13:23:04 0 d-------- C:\Program Files\Norton 360
2008-06-28 13:19:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-28 13:15:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-28 13:10:11 0 d-------- C:\WINDOWS\system32\8581
2008-06-28 13:06:38 0 d-------- C:\Program Files\MagicISO


-- Find3M Report ---------------------------------------------------------------

2008-07-18 11:45:16 0 d-------- C:\Program Files\Common Files
2008-07-18 11:41:53 0 d-------- C:\Program Files\Common Files\Real
2008-07-18 11:40:44 0 d-------- C:\Program Files\Dell
2008-07-18 11:39:48 0 d-------- C:\Program Files\BroadJump
2008-07-13 17:08:21 0 d-------- C:\Program Files\MUSICMATCH
2008-07-13 17:06:18 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-28 14:09:09 0 d-------- C:\Program Files\Common Files\AOL
2008-06-21 12:55:45 0 d-------- C:\Program Files\PokerStars
2008-06-11 21:16:29 0 d-------- C:\Documents and Settings\Steph\Application Data\Adobe
2008-06-06 19:12:35 4548 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-06 19:12:35 56 -r-hs---- C:\WINDOWS\system32\08894058B6.sys
2008-05-30 17:59:05 56 -r-hs---- C:\WINDOWS\system32\F8FA12BE0D.sys
2008-05-22 03:01:33 0 d-------- C:\Program Files\MSXML 4.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/05/2005 07:22 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/05/2005 07:19 AM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/05/2005 07:23 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 09:12 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 11:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 02:02 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nupstals"= {426ed8fe-34a6-4e2c-ac92-c11364a11415} - C:\Documents and Settings\All Users\Application Data\nupstals.dll [06/14/2008 12:31 PM 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1136335297\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnHackMe Monitor]
C:\Program Files\UnHackMe\hackmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe




-- End of Deckard's System Scanner: finished at 2008-07-18 12:19:30 ------------



GMER:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-18 12:18:37
Windows 5.1.2600 Service Pack 2


---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x12a050fc size 0x1e4
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- EOF - GMER 1.0.14 ----

MBAM:

Malwarebytes' Anti-Malware 1.20
Database version: 930
Windows 5.1.2600 Service Pack 2

12:23:57 PM 7/18/2008
mbam-log-7-18-2008 (12-23-57).txt

Scan type: Quick Scan
Objects scanned: 38086
Time elapsed: 2 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#12
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Have you still got the mbr.exe file on your desktop?
If not please re download it & re save to the Desktop.
Delete the current mbr.log file & try to run the following.

Go to Start > Run & copy & paste the following text into the Open box:
"%userprofile%\desktop\mbr.exe" -f

Click OK

Now double click on the mbr.exe file & post me the contents of the new mbr.log
  • 0

#13
lutyk7

lutyk7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x12a050fc size 0x1e4 !
copy of MBR has been found in sector 62 !
  • 0

#14
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
OK, we need to cure that in the Recovery Console.
  • Reboot your PC and this time start in the Recovery Console.
  • At the command prompt type fixmbr
  • Press the Enter key
  • Type exit & press the Enter key to reboot.
  • After the restart go back to the Desktop & delete the existing mbr.log file
  • Double click on mbr.exe
  • Post me the text from the new mbr.log file

  • 0

#15
lutyk7

lutyk7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Same log results even after i deleted original.

idk if it says anything, but when i typed fixmbr, it took about 2 seconds before i could type. should it take longer?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP