Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

rootkit/nurech.bc, cannot remove, getting BSOD [RESOLVED]

Started by V0x , Jul 13 2008 10:37 PM

  • This topic is locked This topic is locked

#16
Mike
Posted 22 July 2008 - 02:41 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Thanks for the kind words :)

Take care and have a great day still!

Mike
  • 0

Advertisements

#17
Mike
Posted 22 July 2008 - 02:41 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#18
Mike
Posted 27 July 2008 - 09:06 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Topic re-opened at starters request.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Note:These logs may be too large to post in one reply, if so, please post extra.txt in a separate reply.

Then,


Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

If the log is to long please attach it instead.

Let's see what's running :)
  • 0

#19
V0x
Posted 27 July 2008 - 06:30 PM

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hello, again!

I downloaded DSS and ran, but only got a main.txt, no extra.txt. Here it is:

Deckard's System Scanner v20071014.68
Run by DONALD on 2008-07-27 20:24:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as DONALD.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:12 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\DONALD\Desktop\dss.exe
C:\DOCUME~1\DONALD\Desktop\DONALD.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 10033 bytes

-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-25 09:09:11 0 --a------ C:\WINDOWS\ORUN32.EXE
2008-07-22 21:14:02 202240 --a------ C:\WINDOWS\system32\Dr Pepper Indiana Jones.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-07-22 21:14:02 0 d-------- C:\WINDOWS\system32\Dr Pepper Indiana Jones dir
2008-07-17 23:09:48 0 d-------- C:\fsaua.data
2008-07-17 17:56:21 0 d-------- C:\WINDOWS\ERUNT
2008-07-15 19:06:21 0 d-------- C:\Documents and Settings\DONALD\Application Data\OpenOffice.org2
2008-07-15 19:03:38 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-07-14 01:01:30 0 d-------- C:\Documents and Settings\DONALD\.SunDownloadManager
2008-07-13 18:24:52 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-07-13 18:21:41 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-13 18:21:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-13 18:13:42 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-13 18:11:53 0 d-------- C:\327882R2FWJFW
2008-07-13 18:10:32 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-13 18:09:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-07-13 15:21:55 0 d-------- C:\Documents and Settings\DONALD\Application Data\TrojanHunter
2008-07-13 14:32:43 0 d-------- C:\Program Files\TrojanHunter 5.0
2008-07-13 10:49:06 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Application Data\SUPERAntiSpyware.com
2008-07-13 09:49:14 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Application Data\Mozilla
2008-07-13 09:38:21 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Application Data\Malwarebytes
2008-07-13 09:37:40 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Templates
2008-07-13 09:37:40 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\My Documents
2008-07-13 09:37:40 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Local Settings
2008-07-13 09:37:40 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Favorites
2008-07-13 09:37:40 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Desktop
2008-07-13 09:37:40 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Cookies
2008-07-13 09:37:40 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Application Data
2008-07-13 09:37:40 0 d-------- C:\Documents and Settings\Administrator.D2VN4F61\Application Data\Microsoft
2008-07-13 09:37:38 786432 --ah----- C:\Documents and Settings\Administrator.D2VN4F61\NTUSER.DAT
2008-07-12 23:26:01 0 d-------- C:\Program Files\Mozilla Firefox(2)
2008-07-12 22:56:41 0 d-------- C:\Program Files\Panda Security
2008-07-12 22:43:33 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 22:43:33 0 d-------- C:\Documents and Settings\DONALD\Application Data\SUPERAntiSpyware.com
2008-07-12 22:13:41 0 d-------- C:\Documents and Settings\DONALD\Application Data\Malwarebytes
2008-07-12 22:13:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 22:13:33 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 22:01:14 0 d-------- C:\Documents and Settings\DONALD\.housecall6.6
2008-07-12 21:14:05 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-12 21:14:05 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-07-12 21:14:05 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-12 21:14:04 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-07-12 21:14:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-12 21:14:04 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-07-12 21:14:03 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-09 21:18:37 233472 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-09 21:18:37 3407872 --a------ C:\Documents and Settings\DONALD\ntuser.dat
2008-07-06 13:31:57 0 d-------- C:\Program Files\Spyware Doctor
2008-07-06 13:31:57 0 d-------- C:\Documents and Settings\DONALD\Application Data\PC Tools


-- Find3M Report ---------------------------------------------------------------

2008-07-21 12:00:52 0 d-------- C:\Documents and Settings\DONALD\Application Data\Help
2008-07-17 17:52:03 0 d-------- C:\Program Files\Java
2008-07-13 18:25:05 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-07-13 18:21:17 0 d-------- C:\Program Files\Common Files
2008-07-13 18:10:29 0 d-------- C:\Documents and Settings\DONALD\Application Data\Adobe
2008-07-13 18:10:01 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-13 18:02:07 0 d-------- C:\Documents and Settings\DONALD\Application Data\AdobeUM
2008-07-13 12:26:02 0 d-------- C:\Documents and Settings\DONALD\Application Data\Mozilla


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
06/11/2008 10:33 PM 75128 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [06/30/2004 03:33 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [03/23/2004 02:16 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/25/2004 02:52 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [10/12/2004 06:54 PM]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [09/14/2004 10:50 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [12/22/2004 03:18 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/22/2004 03:19 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02/13/2006 10:05 PM]
"nwiz"="nwiz.exe" [02/13/2006 10:05 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [02/13/2006 10:05 PM]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [05/13/2002 11:10 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [03/18/2004 10:33 AM]
"Logitech Utility"="Logi_MwX.Exe" [03/03/2004 01:50 PM C:\WINDOWS\LOGI_MWX.EXE]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [07/09/2008 06:54 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [06/12/2008 02:38 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [06/20/2006 11:36 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [02/24/2005 12:57 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/27/2007 11:39 AM]

C:\Documents and Settings\DONALD\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 3:41:28 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2008-07-27 20:24:47 ------------
  • 0

#20
V0x
Posted 27 July 2008 - 06:33 PM

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
GMER scan--

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-27 20:32:29
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0xEEE5D7A6]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xEEE5A794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xEEE5AF1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xEEE5E1F0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0xEEE5E42A]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xEB0088AC]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xEEE5F12A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0xEEE5E83C]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xEB008812]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xEEE59384]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\Explorer.EXE[152] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 1E, 85 ]
.text C:\WINDOWS\Explorer.EXE[152] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[152] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[272] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 58, 84 ]
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[272] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[272] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe[280] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 4F, 84 ]
.text C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe[280] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe[280] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[308] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 13, 84 ]
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[308] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[308] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[324] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 74, 84 ]
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[324] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[324] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Real\RealPlayer\RealPlay.exe[332] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 86, 84 ]
.text C:\Program Files\Real\RealPlayer\RealPlay.exe[332] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Real\RealPlayer\RealPlay.exe[332] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\DONALD\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[360] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, B9, 83 ]
.text C:\DOCUME~1\DONALD\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[360] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\DOCUME~1\DONALD\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[360] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\DONALD\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[360] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\LXSUPMON.EXE[412] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 95, 84 ]
.text C:\WINDOWS\system32\LXSUPMON.EXE[412] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\LXSUPMON.EXE[412] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[420] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 5E, 84 ]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[420] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[420] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Logitech\iTouch\iTouch.exe[440] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 8D, 84 ]
.text C:\Program Files\Logitech\iTouch\iTouch.exe[440] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Logitech\iTouch\iTouch.exe[440] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[472] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BB, 84 ]
.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[472] user32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TrojanHunter 5.0\THGuard.exe[472] user32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[488] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BE, 83 ]
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[488] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[488] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[496] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 62, 87 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[496] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 57, 9E, C3, 83 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[496] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[496] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[528] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, DD, 84 ]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[528] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[528] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[548] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, A5, 84 ]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[548] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[548] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[552] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 48, 84 ]
.text C:\WINDOWS\system32\ctfmon.exe[552] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[552] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[652] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BE, 83 ]
.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[652] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\OpenOffice.org 2.4\program\soffice.exe[652] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[668] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, E9, 84 ]
.text C:\WINDOWS\system32\csrss.exe[668] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[668] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 09, 85 ]
.text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[712] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 33, 8A ]
.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[712] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F210F5A
.text C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN[712] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1B0F5A
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 2D, 84 ]
.text C:\WINDOWS\system32\services.exe[736] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[736] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[756] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 79, 84 ]
.text C:\WINDOWS\system32\lsass.exe[756] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[756] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[896] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 3E, 84 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[896] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[896] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[896] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 2F, 84 ]
.text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 4B, 84 ]
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 20, 86 ]
.text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1104] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, E7, 84 ]
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1104] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1104] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1128] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 43, A1, C3, 83 ]
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[1136] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 7C, 84 ]
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[1136] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[1136] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\nvsvc32.exe[1164] kernel32.dll!LoadLibraryExW + C4 7C801BB5 2 Bytes [ 47, E4 ]
.text C:\WINDOWS\system32\nvsvc32.exe[1164] kernel32.dll!LoadLibraryExW + C7 7C801BB8 1 Byte [ 84 ]
.text C:\WINDOWS\system32\nvsvc32.exe[1164] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[1164] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[1188] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 48, 84 ]
.text C:\WINDOWS\system32\PnkBstrA.exe[1188] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\PnkBstrA.exe[1188] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1224] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 6D, 84 ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1224] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1224] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 24, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 35, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, EF, 83 ]
.text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[1340] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 8B, 84 ]
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[1340] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[1340] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1428] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 66, 84 ]
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1428] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1428] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[1544] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 99, 84 ]
.text C:\WINDOWS\system32\LEXBCES.EXE[1544] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\LEXBCES.EXE[1544] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[1596] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 0D, 84 ]
.text C:\WINDOWS\system32\LEXPPS.EXE[1596] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\LEXPPS.EXE[1596] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1604] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 1C, 85 ]
.text C:\WINDOWS\system32\spoolsv.exe[1604] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1604] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1780] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 7D, 84 ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1780] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1780] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe[1832] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 2C, 84 ]
.text C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe[1832] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe[1832] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1852] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 35, 84 ]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1852] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1852] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wdfmgr.exe[2072] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, E4, 83 ]
.text C:\WINDOWS\system32\wdfmgr.exe[2072] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[2072] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe[2100] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 5C, 84 ]
.text C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe[2100] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe[2100] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe[2128] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 4C, 85 ]
.text C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe[2128] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe[2128] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[3160] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, EB, 83 ]
.text C:\WINDOWS\System32\alg.exe[3160] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\System32\alg.exe[3160] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[3160] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[3192] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 02, 84 ]
.text C:\WINDOWS\System32\svchost.exe[3192] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\System32\svchost.exe[3192] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[3192] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[3280] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 1A, 84 ]
.text C:\WINDOWS\system32\wscntfy.exe[3280] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\wscntfy.exe[3280] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[3280] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A

---- Devices - GMER 1.0.14 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B59E9C8A
Device B5A014F4

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\WINDOWS\system32\scrobj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ Scriptlet.Constructor

---- EOF - GMER 1.0.14 ----
  • 0

#21
Mike
Posted 28 July 2008 - 05:58 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Good let's see what we got here,

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, don't overlook this!

Now please download combofix from here or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.
  • 0

#22
V0x
Posted 28 July 2008 - 07:04 AM

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Ok, major glitch here, trying to install some kind of recovery console.

The original XP disks that came with this computer are nowhere to be found. I do not have a burner or even a floppy drive on this tower. What do I do now?
  • 0

#23
Mike
Posted 28 July 2008 - 07:26 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

Click YES when it asks you to scan for malware.
  • 0

#24
V0x
Posted 28 July 2008 - 07:47 AM

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

Click YES when it asks you to scan for malware.


I can't get that far.

I downloaded SP2 and combofix, dragged and dropped, got this box:
Posted Image
agreed to run combofix, it opened a little combofix window with a fast-moving progress bar that looks like this:
Posted Image
then nothing. I can't even get combofix to open on it's own, without the dragging and dropping thing.
  • 0

#25
Mike
Posted 28 July 2008 - 09:52 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Is there no blue window that pops up, maybe your not giving it enough time.

Try re-naming it to Combo-Fix.exe and see if it runs.
  • 0

Advertisements

#26
V0x
Posted 28 July 2008 - 11:06 AM

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
No luck. I closed the browser, tried it again and let it sit for five minutes. The cursor turns into an hourglass for about 10-15 sec., then turns back into a pointer (much like it did when I couldn't get spyware dr. to run). I then edited the name of the file like you said, and got the same results.
  • 0

#27
Mike
Posted 28 July 2008 - 12:34 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Are you getting any error messages or it just does nothing?

Delete the two copies you have on your PC.

Try it this way then please...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If not do the following

Please download OTScanIt.exe to your Desktop.
Double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close all other programs.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program
  • (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and attach the file in your next post, do not try to copy/paste it into the post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#28
V0x
Posted 28 July 2008 - 01:50 PM

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Ok, Spyware Doctor WAS interferring with combofix. I had to totally shut it down to get combofix to work, instead of just "disabling" it.

Here's the combofix scan:

ComboFix 08-07-28.1 - DONALD 2008-07-28 15:46:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.635 [GMT -4:00]
Running from: C:\Documents and Settings\DONALD\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\DONALD\Application Data\macromedia\Flash Player\#SharedObjects\Z4T4Z4DY\interclick.com
C:\Documents and Settings\DONALD\Application Data\macromedia\Flash Player\#SharedObjects\Z4T4Z4DY\interclick.com\ud.sol
C:\Documents and Settings\DONALD\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\DONALD\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\ORUN32.EXE
C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-27 20:27 . 2008-07-27 20:27 250 --a------ C:\WINDOWS\gmer.ini
2008-07-27 20:22 . 2008-07-27 20:22 <DIR> d-------- C:\Deckard
2008-07-22 21:14 . 2008-07-22 21:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\Dr Pepper Indiana Jones dir
2008-07-22 21:14 . 2008-07-22 21:14 202,240 --a------ C:\WINDOWS\SYSTEM32\Dr Pepper Indiana Jones.scr
2008-07-17 23:09 . 2008-07-17 23:09 <DIR> d-------- C:\fsaua.data
2008-07-17 17:56 . 2008-07-17 17:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-15 19:06 . 2008-07-27 09:25 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\OpenOffice.org2
2008-07-15 19:03 . 2008-07-15 19:03 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-07-14 01:02 . 2008-07-14 01:11 81,208,728 --a------ C:\Documents and Settings\DONALD\jdk-6u7-windows-i586-p.exe
2008-07-14 01:01 . 2008-07-14 01:11 <DIR> d-------- C:\Documents and Settings\DONALD\.SunDownloadManager
2008-07-13 19:04 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-13 18:21 . 2008-07-13 18:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-13 18:21 . 2008-07-13 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-13 18:14 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-07-13 18:14 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-13 18:13 . 2008-07-13 18:13 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-13 18:10 . 2008-07-13 18:10 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-13 15:21 . 2008-07-13 15:21 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\TrojanHunter
2008-07-13 14:32 . 2008-07-13 14:32 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-07-13 12:41 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-13 10:49 . 2008-07-13 10:49 <DIR> d-------- C:\Documents and Settings\Administrator.D2VN4F61\Application Data\SUPERAntiSpyware.com
2008-07-13 09:38 . 2008-07-13 09:38 <DIR> d-------- C:\Documents and Settings\Administrator.D2VN4F61\Application Data\Malwarebytes
2008-07-13 09:37 . 2008-07-13 12:13 <DIR> d---s---- C:\Documents and Settings\Administrator.D2VN4F61
2008-07-12 23:26 . 2008-07-13 12:13 <DIR> d-------- C:\Program Files\Mozilla Firefox(2)
2008-07-12 22:56 . 2008-07-12 22:56 <DIR> d-------- C:\Program Files\Panda Security
2008-07-12 22:43 . 2008-07-25 09:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 22:43 . 2008-07-12 22:43 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\SUPERAntiSpyware.com
2008-07-12 22:13 . 2008-07-13 18:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 22:13 . 2008-07-12 22:13 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\Malwarebytes
2008-07-12 22:13 . 2008-07-12 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-12 22:01 . 2008-07-13 12:13 <DIR> d-------- C:\Documents and Settings\DONALD\.housecall6.6
2008-07-12 21:14 . 2008-07-13 12:14 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-07-06 13:32 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-07-06 13:32 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-07-06 13:32 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-07-06 13:32 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-07-06 13:31 . 2008-07-25 09:18 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-06 13:31 . 2008-07-06 13:31 <DIR> d-------- C:\Documents and Settings\DONALD\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 19:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-17 21:52 --------- d-----w C:\Program Files\Java
2008-07-13 22:25 --------- d-----w C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-07-13 22:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-13 22:02 --------- d-----w C:\Documents and Settings\DONALD\Application Data\AdobeUM
2008-07-06 17:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-06 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock(2)(2).dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi(2)(2).dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-05-05 22:14 107,888 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36 1207080]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-02-24 12:57 2506752]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 15:33 1388544]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 14:16 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 18:54 57344]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 10:50 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-12-22 15:18 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-22 15:19 98304]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 22:05 7557120]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 22:05 86016]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.EXE" [2002-05-13 23:10 886272]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-07-09 18:54 1056928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2006-02-13 22:05 1519616 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2004-03-03 13:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

C:\Documents and Settings\DONALD\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 07:00]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-15 23:39]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
*Newly Created Service* - GTNDIS5
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
O8 -: Display All Images with Full Quality - "C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 -: Display Image with Full Quality - "C:\Program Files\NetZero\qsacc\appres.dll/227"
O18 -: Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
O18 -: WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
O18 -: WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
O18 -: WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -

O16 -: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
C:\WINDOWS\Downloaded Program Files\PogoWebLauncher.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 15:47:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-28 15:48:37
ComboFix-quarantined-files.txt 2008-07-28 19:48:33

Pre-Run: 60,365,598,720 bytes free
Post-Run: 60,624,146,432 bytes free

173 --- E O F --- 2008-07-14 05:24:54
  • 0

#29
V0x
Posted 28 July 2008 - 01:51 PM

V0x

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
And a new HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:13 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DONALD\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9270 bytes
  • 0

#30
Mike
Posted 29 July 2008 - 04:41 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
You know what this folder is? C:\WINDOWS\SYSTEM32\Dr Pepper Indiana Jones dir

Anything in it?

If not delete it along with C:\WINDOWS\SYSTEM32\Dr Pepper Indiana Jones.scr

How is your computer running now?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP