Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware/Malware/Spamming [RESOLVED]

Started by Trout27 , Jul 24 2008 10:47 PM

  • This topic is locked This topic is locked

#16
Trout27
Posted 28 July 2008 - 05:49 AM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
And finally, a fresh dss log:

Deckard's System Scanner v20071014.68
Run by default on 2008-07-28 07:21:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 384 MiB (512 MiB recommended).
System Drive C: has 4.04 GiB (less than 15%) free.


-- HijackThis (run as default.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:25 AM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\default.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon....p;bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.teachsp...emote/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 10265 bytes

-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-27 23:58:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-27 23:58:54 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-27 23:58:53 0 d-------- C:\WINDOWS\LastGood
2008-07-27 21:07:54 0 d-------- C:\Documents and Settings\default\Application Data\PCToolsFirewallPlus
2008-07-27 21:03:15 93440 --a------ C:\WINDOWS\system32\drivers\pctfw.sys <Not Verified; PC Tools; PC Tools NDIS Driver>
2008-07-27 21:03:10 0 d-------- C:\Program Files\PC Tools Firewall Plus
2008-07-27 21:01:25 0 d-------- C:\Program Files\ThreatFire
2008-07-27 20:49:29 0 d-------- C:\Documents and Settings\default\Application Data\PC Tools
2008-07-27 20:45:17 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-27 20:44:44 0 d-------- C:\Program Files\Common Files\PC Tools
2008-07-27 20:44:32 0 d-------- C:\Program Files\PC Tools AntiVirus
2008-07-27 20:44:32 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-26 19:32:32 0 d-------- C:\cmdcons
2008-07-26 19:28:24 68096 --a------ C:\WINDOWS\zip.exe
2008-07-26 19:28:24 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-26 19:28:24 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-26 19:28:24 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-26 19:28:24 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-26 19:28:24 98816 --a------ C:\WINDOWS\sed.exe
2008-07-26 19:28:24 80412 --a------ C:\WINDOWS\grep.exe
2008-07-26 19:28:24 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-25 00:40:16 0 d-------- C:\Program Files\Trend Micro
2008-07-15 18:02:11 90756 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-14 22:54:59 0 d-------- C:\Program Files\Bonjour
2008-07-14 21:39:44 0 d-------- C:\Program Files\Safari
2008-07-03 16:04:42 0 d-------- C:\Documents and Settings\default\Application Data\Malwarebytes
2008-07-03 16:04:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 16:04:35 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 12:40:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2008-07-01 13:42:24 31744 --a------ C:\Documents and Settings\default\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-06-05 21:56:46 128368 --a------ C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
2008-05-10 01:36:34 2645624 --ah----- C:\Documents and Settings\default\Application Data\IconCache.db


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [08/10/2000 12:00 PM]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [08/10/2000 12:00 PM]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 03:56 AM C:\WINDOWS\SYSTEM32\rundll32.exe]
"nwiz"="nwiz.exe" [09/27/2002 02:38 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [07/12/2002 12:22 AM]
"mmtask"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [10/29/2003 03:57 PM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [05/21/2004 07:11 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [06/01/2004 11:09 AM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [06/01/2004 11:03 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [01/13/2006 08:13 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [01/13/2006 08:13 PM]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [03/11/2007 05:37 PM]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [02/01/2006 06:33 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [12/22/2003 08:38 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [03/05/2008 09:37 AM]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [04/24/2008 04:52 PM]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [07/02/2008 04:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [06/01/2004 05:46 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/14/2007 07:23 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/05/2008 09:20 AM]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [06/10/2007 05:31 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
@=00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/25/2008 05:37 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 07/29/2007 10:33 AM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"UpdReg"=C:\WINDOWS\Updreg.exe
"LoadQM"=loadqm.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\SYSTEM32\hpztsb03.exe
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"RxMon"=C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"madexe"=C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"WhenUSave"=C:\PROGRA~1\SAVE\Save.exe
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"GhostStartTrayApp"=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-07-28 07:24:23 ------------
  • 0

Advertisements

#17
fenzodahl512
Posted 28 July 2008 - 08:21 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, firstly, please tell me, do you use any software to control your pc remotely?


Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\WINDOWS\setup86x\logonmgr.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
C:\WINDOWS\SYSTEM32\DRIVERS\ndisio.sys

File::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MarketScoreOS.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MarketScoreOS1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip
C:\!KillBox\logon.exe

DirLook::
C:\WINDOWS\setup86x

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • VirScan.org result
  • Combofix.txt
  • A new HijackThis log.

  • 0

#18
Trout27
Posted 28 July 2008 - 05:45 PM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
First, to answer your question regarding remotely controling my PC. I do not have software to do that, at least no software that I have installed on my PC. Is there some installed??

Here are the latest scans that I have run. First, the VirScan report (I will post the others in separate posts...):

VirSCAN.org Scanned Report :
Scanned time : 2008/07/28 18:53:24 (EDT)
Scanner results: 22% Scanner(8/36) found malware!
File Name : logonmgr.exe
File Size : 1880576 byte
File Type : MS-DOS executable, PE for MS Windows (GUI) Intel 80386 32-bi
MD5 : 52e0ef25b8ec459441140e53874169e5
SHA1 : 3f74b982e9d3720ff7c36d5d628e41c1647df67f
Online report : http://virscan.org/r...74b117dce5.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.28 2008-07-28 2.43 -
AhnLab V3 2008.07.28.01 2008.07.28 2008-07-28 0.89 -
AntiVir 7.8.1.12 7.0.5.182 2008-07-28 2.13 APPL/Servu.1880576
Arcavir 1.0.5 200807281039 2008-07-28 1.20 -
AVAST! 3.0.1 080728-0 2008-07-28 1.67 -
AVG 7.5.51.442 270.5.6/1578 2008-07-28 1.52 -
BitDefender 7.60825.1407150 7.20242 2008-07-29 3.36 Generic.ServU.D7C60A9C
CA (VET) 9.0.0.143 31.6.5990 2008-07-28 0.92 -
ClamAV 0.93.3 7870 2008-07-29 0.34 -
Comodo 2.11 2.0.0.599 2008-07-28 0.47 -
CP Secure 1.1.0.715 2008.07.29 2008-07-29 5.67 -
Dr.Web 4.44.0.9170 2008.07.28 2008-07-28 4.29 BackDoor.Servu.76
ewido 4.0.0.2 2008.07.28 2008-07-28 2.43 -
F-Prot 4.4.4.56 20080728 2008-07-28 1.38 -
F-Secure 5.51.6100 2008.07.28.05 2008-07-28 3.90 -
Fortinet 2.81-3.11 9.359 2008-07-29 1.70 -
ViRobot 20080728 2008.07.28 2008-07-28 0.40 -
Ikarus T3.1.01.34 2008.07.28.71177 2008-07-28 3.34 Backdoor.Win32.SdBot.aad
JiangMin 11.0.706 2008.07.28 2008-07-28 1.34 -
Kaspersky 5.5.10 2008.07.28 2008-07-28 1.28 not-a-virus:Server-FTP.Win32.Serv-U.gen
KingSoft 2008.1.14.15 2008.7.28.17 2008-07-28 1.60 -
McAfee 5.2.00 5348 2008-07-28 2.22 -
Microsoft 1.3704 2008.07.28 2008-07-28 5.70 -
mks_vir 2.01 2008.07.28 2008-07-28 2.55 -
Norman 5.93.01 5.93.00 2008-07-28 8.59 -
Panda 9.05.01 2008.07.28 2008-07-28 2.02 Generic Malware
Trend Micro 8.700-1004 5.438.06 2008-07-28 0.07 -
Quick Heal 9.50 2008.07.28 2008-07-28 2.51 -
Rising 20.0 20.55.02.00 2008-07-28 1.64 -
Sophos 2.75.4 4.31 2008-07-29 4.76 -
Sunbelt 3.1.1536.1 2166 2008-07-25 0.86 Malware.Win32.CodeAnalyzer!cobra (v)
Symantec 1.3.0.24 20080728.003 2008-07-28 2.12 -
nProtect 2008-07-28.00 1721581 2008-07-28 3.85 Generic.ServU.D7C60A9C
The Hacker 6.2.96 v00389 2008-07-24 0.40 -
VBA32 3.12.8.1 20080728.0803 2008-07-28 5.59 -
VirusBuster 4.5.11.10 10.82.25/596881 2008-07-28 1.33 -
  • 0

#19
Trout27
Posted 28 July 2008 - 05:47 PM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Now, the next report (ComboFix):

ComboFix 08-07-26.1 - default 2008-07-28 19:17:31.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -4:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\default\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\!KillBox\logon.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MarketScoreOS.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MarketScoreOS1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar5.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\!KillBox\logon.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MarketScoreOS.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MarketScoreOS1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar5.zip
C:\WINDOWS\SYSTEM32\DRIVERS\ndisio.sys

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-27 23:58 . 2008-07-27 23:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-07-27 23:58 . <DIR> C:\WINDOWS\LastGood.Tmp
2008-07-27 23:58 . 2008-07-27 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-27 21:07 . 2008-07-27 21:07 <DIR> d-------- C:\Documents and Settings\default\Application Data\PCToolsFirewallPlus
2008-07-27 21:03 . 2008-07-27 21:03 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2008-07-27 21:03 . 2008-03-12 08:30 159,896 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys
2008-07-27 21:03 . 2008-06-24 10:26 93,440 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pctfw.sys
2008-07-27 21:03 . 2008-07-02 16:50 58,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\FWAuthdriver.sys
2008-07-27 21:01 . 2008-07-27 21:01 <DIR> d-------- C:\Program Files\ThreatFire
2008-07-27 21:01 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfFsMon.sys
2008-07-27 21:01 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfSysMon.sys
2008-07-27 21:01 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfNetMon.sys
2008-07-27 21:01 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfKbMon.sys
2008-07-27 20:49 . 2008-07-27 20:49 <DIR> d-------- C:\Documents and Settings\default\Application Data\PC Tools
2008-07-27 20:45 . 2008-07-27 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-27 20:44 . 2008-07-27 20:44 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-07-27 20:44 . 2008-07-27 20:44 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-27 20:44 . 2008-07-27 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-27 20:44 . 2007-12-06 15:51 28,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AVHook.sys
2008-07-27 20:44 . 2007-12-06 15:51 21,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AVRec.sys
2008-07-27 20:44 . 2008-02-12 10:44 21,904 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AVFilter.sys
2008-07-27 17:32 . 2008-07-27 17:32 <DIR> d-------- C:\Deckard
2008-07-25 00:40 . 2008-07-25 00:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-18 20:55 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-15 18:02 . 2008-07-15 18:02 90,756 --ah----- C:\WINDOWS\SYSTEM32\mlfcache.dat
2008-07-14 22:54 . 2008-07-14 22:55 <DIR> d-------- C:\Program Files\Bonjour
2008-07-14 21:39 . 2008-07-14 21:39 <DIR> d-------- C:\Program Files\Safari
2008-07-04 12:21 . 2008-07-14 09:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-04 12:21 . 2008-07-04 12:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-03 16:04 . 2008-07-03 16:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 16:04 . 2008-07-03 16:04 <DIR> d-------- C:\Documents and Settings\default\Application Data\Malwarebytes
2008-07-03 16:04 . 2008-07-03 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 16:04 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-03 12:40 . 2008-07-03 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 12:26 . 2003-02-20 16:42 229,487 --a------ C:\WINDOWS\SYSTEM32\jpicpl32.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 23:28 212,480 ----a-w C:\WINDOWS\system32\drivers\ndisio.sys
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-06 01:56 128,368 ----a-w C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2000-10-13 20:56 271 --sh--w C:\Program Files\desktop.ini
2000-10-13 20:56 23,357 ---h--w C:\Program Files\folder.htt
2002-02-01 02:00 98,304 ----a-w C:\Program Files\internet explorer\plugins\IEHelper.dll
2003-04-20 13:15 32 --sha-w C:\WINDOWS\{DE2E190C-863A-4527-BAFC-7A16DEC8D1AC}.dat
2003-04-20 13:15 32 --sha-w C:\WINDOWS\SYSTEM\{122662BE-63CB-406B-8750-5A1AE39F982B}.dat
2004-08-04 07:56 50,688 --sh--r C:\WINDOWS\SYSTEM32\smss.exe
2007-12-26 14:58 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2007-12-26 14:58 168 --sh--r C:\WINDOWS\SYSTEM32\3317E83D67.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\setup86x ----

2007-05-22 22:58 1109 --a------ C:\WINDOWS\setup86x\adm_conf.PNF
2007-05-22 22:57 3324 --a------ C:\WINDOWS\setup86x\logon.reg
2007-04-27 23:59 131542 --a------ C:\WINDOWS\setup86x\Config.exe
2007-03-28 22:24 130146 --a------ C:\WINDOWS\setup86x\wmiserv.exe
2007-03-28 22:23 6656 --a------ C:\WINDOWS\setup86x\wmipsecure.dll
2007-03-28 22:23 1295582 --a------ C:\WINDOWS\setup86x\systmcf.dll
2007-03-18 04:19 83742 --a------ C:\WINDOWS\setup86x\Launch.exe
2006-12-31 02:01 7168 --a------ C:\WINDOWS\setup86x\bw.exe
2006-01-12 22:28 14848 --a------ C:\WINDOWS\setup86x\taskdaemon.exe
2005-08-13 00:15 963 --a------ C:\WINDOWS\setup86x\wmspdcore.dll
2005-08-13 00:15 1029 --a------ C:\WINDOWS\setup86x\wbemupd32.dll
2004-12-03 21:35 2847 --a------ C:\WINDOWS\setup86x\acelpdec.ax
2004-12-03 20:35 65536 --a------ C:\WINDOWS\setup86x\taskdaemonrt.dll
2003-09-29 16:25 31232 --a------ C:\WINDOWS\setup86x\dtreg.exe
2003-03-29 06:54 190976 --a------ C:\WINDOWS\setup86x\libxml2.dll
2003-03-29 06:53 94208 --a------ C:\WINDOWS\setup86x\SvcAdmin.dll
2003-01-30 03:52 974 --a------ C:\WINDOWS\setup86x\d_2990.nls
2003-01-30 03:52 1050 --a------ C:\WINDOWS\setup86x\d_2673.nls
2002-10-12 10:16 38 --a------ C:\WINDOWS\setup86x\d_28559.nls
2002-10-12 10:16 360 --a------ C:\WINDOWS\setup86x\d_27769.nls
2002-01-30 04:27 55171 --a------ C:\WINDOWS\setup86x\NetSec.exe
2001-11-18 09:12 97040 --a------ C:\WINDOWS\setup86x\$NtServicePackUninstall$\win32spl.dll
2001-11-18 09:12 847872 --a------ C:\WINDOWS\setup86x\bin\jawt.dll
2001-11-18 09:12 81680 --a------ C:\WINDOWS\setup86x\$NtServicePackUninstall$\spoolss.dll
2001-11-18 09:12 570 --a------ C:\WINDOWS\setup86x\$NtServicePackUninstall$\spuninst\spuninst.txt
2001-11-18 09:12 5149 --a------ C:\WINDOWS\setup86x\$NtServicePackUninstall$\spuninst\empty.cat
2001-11-18 09:12 45328 --a------ C:\WINDOWS\setup86x\$NtServicePackUninstall$\spoolsv.exe
2001-11-18 09:12 4478 --a------ C:\WINDOWS\setup86x\$NtServicePackUninstall$\spuninst\spuninst.inf
2001-11-18 09:12 25745 --a------ C:\WINDOWS\setup86x\$NtServicePackUninstall$\spuninst\spuninst.exe
2001-11-18 09:12 159744 --a------ C:\WINDOWS\setup86x\bin\jcov.dll
2001-11-18 09:12 102565 --a------ C:\WINDOWS\setup86x\bin\JavaVM.dll
2001-08-21 03:42 997 --a------ C:\WINDOWS\setup86x\jpicpl32.cpl
2001-08-21 03:42 951 --a------ C:\WINDOWS\setup86x\jpicpl32.dll
2001-06-11 03:28 1880576 --a------ C:\WINDOWS\setup86x\logonmgr.exe
2001-03-30 06:12 69927 --a------ C:\WINDOWS\setup86x\java.ocx
2001-03-29 07:48 16896 --a------ C:\WINDOWS\setup86x\autofkt.exe
2001-03-27 17:11 222262 --a------ C:\WINDOWS\setup86x\MSVCP60.DLL
1997-07-19 16:55 649728 --a------ C:\WINDOWS\setup86x\Msvbvm50.dll


((((((((((((((((((((((((((((( snapshot@2008-07-26_19.44.17.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2006-12-02 02:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2004-06-01 05:46 196608]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 07:23 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-05 09:20 1506544]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-10 17:31 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-08-10 12:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-10 12:00 28739]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2002-09-27 14:38 4214784]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-07-12 00:22 176128]
"mmtask"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-29 15:57 53248]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-05-21 19:11 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-06-01 11:09 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-06-01 11:03 217088]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 20:13 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 20:13 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33 1880064]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2008-07-02 16:51 2602904]
"nwiz"="nwiz.exe" [2002-09-27 14:38 446464 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-10-12 17:13 7086080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2001-08-23 12:00 30208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-25 17:37 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-07-29 10:33 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"aux"= ctwdm32.dll
"VIDC.CTRX"= ctrxvid.drv
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"UpdReg"=C:\WINDOWS\Updreg.exe
"LoadQM"=loadqm.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\SYSTEM32\hpztsb03.exe
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"RxMon"=C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"madexe"=C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"WhenUSave"=C:\PROGRA~1\SAVE\Save.exe
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"GhostStartTrayApp"=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R1 pctfw2;pctfw2;C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys [2008-03-12 08:30]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 FWAuth;FWAuth Driver;C:\WINDOWS\system32\drivers\FWAuthDriver.sys [2008-07-02 16:50]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;C:\WINDOWS\system32\DRIVERS\SMC1211.SYS [2001-07-11 11:06]
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
S0 Cdr4vsd;Cdr4vsd;C:\WINDOWS\system32\drivers\Cdr4vsd.sys [2005-01-12 17:37]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 11:11]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2004-05-21 14:15]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
2008-07-28 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job - G;xPF6 s!2b(C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -cdefault9Scheduled Task for PC Health Scheduler (Data Collection)0) []
2008-07-28 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job - (&C:\WINDOWS\System32\OOBE\oobebaln.exe/sys /u /n:1SYSTEM0(< []
2008-07-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!4:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM04 []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 19:26:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\PC TOOLS ANTIVIRUS\PCTAVSVC.EXE
C:\PROGRAM FILES\PC TOOLS FIREWALL PLUS\FWSERVICE.EXE
C:\WINDOWS\SYSTEM32\PSISERVICE.EXE
C:\PROGRAM FILES\THREATFIRE\TFSERVICE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-28 19:36:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-28 23:35:54
ComboFix3.txt 2008-07-26 23:45:18
ComboFix2.txt 2008-07-27 19:00:14

Pre-Run: 4,237,557,760 bytes free
Post-Run: 4,230,660,096 bytes free

287 --- E O F --- 2008-07-10 14:40:20
  • 0

#20
Trout27
Posted 28 July 2008 - 05:49 PM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
And finally, a new HijackThis log.......How are we doing??

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:12 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon....p;bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.teachsp...emote/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 10044 bytes
  • 0

#21
fenzodahl512
Posted 28 July 2008 - 08:28 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts

WARNING!
Looking at your system now, one or more of the identified infections is a backdoor Trojan/Rootkit. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:

  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear




1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
C:\WINDOWS\system32\drivers\ndisio.sys

File::
C:\WINDOWS\SYSTEM32\AdmDll.dll

Folder::
C:\WINDOWS\setup86x

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.



Please post the following logs in your next reply.. Please post each log in separate post..

1. ComboFix
2. GMER
3. A fresh HijackThis log (after GMER step)


Regards
fenzodahl512
  • 0

#22
Trout27
Posted 28 July 2008 - 09:21 PM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
First, Thanks for the warning. I will talk to my wife and get that taken care of. Here are the latest logs......First the ComboFix:

ComboFix 08-07-26.1 - default 2008-07-28 22:40:41.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.140 [GMT -4:00]
Running from: C:\Documents and Settings\default\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\default\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\SYSTEM32\AdmDll.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\setup86x
C:\WINDOWS\setup86x\$NtServicePackUninstall$\spoolss.dll
C:\WINDOWS\setup86x\$NtServicePackUninstall$\spoolsv.exe
C:\WINDOWS\setup86x\$NtServicePackUninstall$\spuninst\empty.cat
C:\WINDOWS\setup86x\$NtServicePackUninstall$\spuninst\spuninst.exe
C:\WINDOWS\setup86x\$NtServicePackUninstall$\spuninst\spuninst.inf
C:\WINDOWS\setup86x\$NtServicePackUninstall$\spuninst\spuninst.txt
C:\WINDOWS\setup86x\$NtServicePackUninstall$\win32spl.dll
C:\WINDOWS\setup86x\acelpdec.ax
C:\WINDOWS\setup86x\adm_conf.PNF
C:\WINDOWS\setup86x\autofkt.exe
C:\WINDOWS\setup86x\bin\JavaVM.dll
C:\WINDOWS\setup86x\bin\jawt.dll
C:\WINDOWS\setup86x\bin\jcov.dll
C:\WINDOWS\setup86x\bw.exe
C:\WINDOWS\setup86x\Config.exe
C:\WINDOWS\setup86x\d_2673.nls
C:\WINDOWS\setup86x\d_27769.nls
C:\WINDOWS\setup86x\d_28559.nls
C:\WINDOWS\setup86x\d_2990.nls
C:\WINDOWS\setup86x\dtreg.exe
C:\WINDOWS\setup86x\java.ocx
C:\WINDOWS\setup86x\jpicpl32.cpl
C:\WINDOWS\setup86x\jpicpl32.dll
C:\WINDOWS\setup86x\Launch.exe
C:\WINDOWS\setup86x\libxml2.dll
C:\WINDOWS\setup86x\logon.reg
C:\WINDOWS\setup86x\logonmgr.exe
C:\WINDOWS\setup86x\Msvbvm50.dll
C:\WINDOWS\setup86x\MSVCP60.DLL
C:\WINDOWS\setup86x\NetSec.exe
C:\WINDOWS\setup86x\SvcAdmin.dll
C:\WINDOWS\setup86x\systmcf.dll
C:\WINDOWS\setup86x\taskdaemon.exe
C:\WINDOWS\setup86x\taskdaemonrt.dll
C:\WINDOWS\setup86x\wbemupd32.dll
C:\WINDOWS\setup86x\wmipsecure.dll
C:\WINDOWS\setup86x\wmiserv.exe
C:\WINDOWS\setup86x\wmspdcore.dll
C:\WINDOWS\SYSTEM32\AdmDll.dll
C:\WINDOWS\system32\drivers\ndisio.sys

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-27 23:58 . 2008-07-27 23:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-07-27 23:58 . 2008-07-27 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-27 21:07 . 2008-07-27 21:07 <DIR> d-------- C:\Documents and Settings\default\Application Data\PCToolsFirewallPlus
2008-07-27 21:03 . 2008-07-27 21:03 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2008-07-27 21:03 . 2008-03-12 08:30 159,896 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys
2008-07-27 21:03 . 2008-06-24 10:26 93,440 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pctfw.sys
2008-07-27 21:03 . 2008-07-02 16:50 58,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\FWAuthdriver.sys
2008-07-27 21:01 . 2008-07-27 21:01 <DIR> d-------- C:\Program Files\ThreatFire
2008-07-27 21:01 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfFsMon.sys
2008-07-27 21:01 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfSysMon.sys
2008-07-27 21:01 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfNetMon.sys
2008-07-27 21:01 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TfKbMon.sys
2008-07-27 20:49 . 2008-07-27 20:49 <DIR> d-------- C:\Documents and Settings\default\Application Data\PC Tools
2008-07-27 20:45 . 2008-07-27 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-27 20:44 . 2008-07-27 20:44 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-07-27 20:44 . 2008-07-27 20:44 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-27 20:44 . 2008-07-27 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-27 20:44 . 2007-12-06 15:51 28,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AVHook.sys
2008-07-27 20:44 . 2007-12-06 15:51 21,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AVRec.sys
2008-07-27 20:44 . 2008-02-12 10:44 21,904 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AVFilter.sys
2008-07-27 17:32 . 2008-07-27 17:32 <DIR> d-------- C:\Deckard
2008-07-25 00:40 . 2008-07-25 00:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-18 20:55 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-15 18:02 . 2008-07-15 18:02 90,756 --ah----- C:\WINDOWS\SYSTEM32\mlfcache.dat
2008-07-14 22:54 . 2008-07-14 22:55 <DIR> d-------- C:\Program Files\Bonjour
2008-07-14 21:39 . 2008-07-14 21:39 <DIR> d-------- C:\Program Files\Safari
2008-07-04 12:21 . 2008-07-14 09:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-04 12:21 . 2008-07-04 12:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-03 16:04 . 2008-07-03 16:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 16:04 . 2008-07-03 16:04 <DIR> d-------- C:\Documents and Settings\default\Application Data\Malwarebytes
2008-07-03 16:04 . 2008-07-03 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-03 16:04 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-03 12:40 . 2008-07-03 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 12:26 . 2003-02-20 16:42 229,487 --a------ C:\WINDOWS\SYSTEM32\jpicpl32.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 02:50 212,480 ----a-w C:\WINDOWS\system32\drivers\ndisio.sys
2008-07-10 13:35 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-06 01:56 128,368 ----a-w C:\Documents and Settings\default\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2000-10-13 20:56 271 --sh--w C:\Program Files\desktop.ini
2000-10-13 20:56 23,357 ---h--w C:\Program Files\folder.htt
2002-02-01 02:00 98,304 ----a-w C:\Program Files\internet explorer\plugins\IEHelper.dll
2003-04-20 13:15 32 --sha-w C:\WINDOWS\{DE2E190C-863A-4527-BAFC-7A16DEC8D1AC}.dat
2003-04-20 13:15 32 --sha-w C:\WINDOWS\SYSTEM\{122662BE-63CB-406B-8750-5A1AE39F982B}.dat
2004-08-04 07:56 50,688 --sh--r C:\WINDOWS\SYSTEM32\smss.exe
2007-12-26 14:58 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2007-12-26 14:58 168 --sh--r C:\WINDOWS\SYSTEM32\3317E83D67.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-26_19.44.17.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2006-12-02 02:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2004-06-01 05:46 196608]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 07:23 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-05 09:20 1506544]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-10 17:31 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-08-10 12:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-10 12:00 28739]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2002-09-27 14:38 4214784]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-07-12 00:22 176128]
"mmtask"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-29 15:57 53248]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-05-21 19:11 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-06-01 11:09 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-06-01 11:03 217088]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 20:13 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-13 20:13 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 18:33 1880064]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2008-07-02 16:51 2602904]
"nwiz"="nwiz.exe" [2002-09-27 14:38 446464 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-10-12 17:13 7086080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2001-08-23 12:00 30208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-25 17:37 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-07-29 10:33 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"aux"= ctwdm32.dll
"VIDC.CTRX"= ctrxvid.drv
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"UpdReg"=C:\WINDOWS\Updreg.exe
"LoadQM"=loadqm.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\SYSTEM32\hpztsb03.exe
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"RxMon"=C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"madexe"=C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"WhenUSave"=C:\PROGRA~1\SAVE\Save.exe
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"GhostStartTrayApp"=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\AIM95\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R1 pctfw2;pctfw2;C:\WINDOWS\SYSTEM32\DRIVERS\pctfw2.sys [2008-03-12 08:30]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R3 FWAuth;FWAuth Driver;C:\WINDOWS\system32\drivers\FWAuthDriver.sys [2008-07-02 16:50]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;C:\WINDOWS\system32\DRIVERS\SMC1211.SYS [2001-07-11 11:06]
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]
S0 Cdr4vsd;Cdr4vsd;C:\WINDOWS\system32\drivers\Cdr4vsd.sys [2005-01-12 17:37]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 11:11]
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2004-05-21 14:15]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
2008-07-29 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job - G;xPF6 s!2b(C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -cdefault9Scheduled Task for PC Health Scheduler (Data Collection)0) []
2008-07-29 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job - (&C:\WINDOWS\System32\OOBE\oobebaln.exe/sys /u /n:1SYSTEM0(< []
2008-07-25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!4:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM04 []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 22:50:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\PC TOOLS ANTIVIRUS\PCTAVSVC.EXE
C:\PROGRAM FILES\PC TOOLS FIREWALL PLUS\FWSERVICE.EXE
C:\WINDOWS\SYSTEM32\PSISERVICE.EXE
C:\PROGRAM FILES\THREATFIRE\TFSERVICE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-28 23:00:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-29 02:59:48
ComboFix4.txt 2008-07-26 23:45:18
ComboFix3.txt 2008-07-27 19:00:14
ComboFix2.txt 2008-07-28 23:36:52

Pre-Run: 4,167,319,552 bytes free
Post-Run: 4,142,563,328 bytes free

274 --- E O F --- 2008-07-10 14:40:20
  • 0

#23
Trout27
Posted 28 July 2008 - 09:24 PM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Now GMER:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-28 23:15:59
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 83939000 ZwAssignProcessToJobObject
SSDT 83939005 ZwConnectPort
SSDT 8393900A ZwCreateFile
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xF778DB48]
SSDT 8393900F ZwCreateProcess
SSDT 83939014 ZwCreateProcessEx
SSDT 83939019 ZwCreateThread
SSDT 8393901E ZwDebugActiveProcess
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xF778DD38]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xF778DDDA]
SSDT 83939023 ZwDuplicateObject
SSDT 83939028 ZwLoadDriver
SSDT 8393902D ZwOpenKey
SSDT 83939032 ZwOpenSection
SSDT 83939037 ZwOpenThread
SSDT 83939041 ZwProtectVirtualMemory
SSDT 8393903C ZwResumeThread
SSDT 83939046 ZwSecureConnectPort
SSDT 8393904B ZwSetValueKey
SSDT 83939050 ZwSuspendProcess
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF3D41F20]
SSDT 8393905A ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\spoolsv.exe[228] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[228] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 4D, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[228] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[228] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 3B, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] SHELL32.dll!ShellExecuteExW 7CA017DB 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] SHELL32.dll!ShellExecuteEx 7CA40BB5 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] SHELL32.dll!ShellExecuteA 7CA40EE0 6 Bytes JMP 5F280F5A
.text C:\WINDOWS\system32\spoolsv.exe[228] SHELL32.dll!ShellExecuteW 7CAB4F10 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 4D, 5F ]
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 3B, 5F ]
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F400F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F340F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F430F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F460F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F520F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F490F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F370F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F4F0F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] SHELL32.dll!ShellExecuteExW 7CA017DB 6 Bytes JMP 5F310F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] SHELL32.dll!ShellExecuteEx 7CA40BB5 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] SHELL32.dll!ShellExecuteA 7CA40EE0 6 Bytes JMP 5F280F5A
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[536] SHELL32.dll!ShellExecuteW 7CAB4F10 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\PSIService.exe[636] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\PSIService.exe[636] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 4D, 5F ]
.text C:\WINDOWS\system32\PSIService.exe[636] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\PSIService.exe[636] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 3B, 5F ]
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\PSIService.exe[636] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\PSIService.exe[636] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\PSIService.exe[636] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\PSIService.exe[636] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\PSIService.exe[636] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\PSIService.exe[636] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\system32\PSIService.exe[636] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\PSIService.exe[636] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\PSIService.exe[636] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\PSIService.exe[636] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\PSIService.exe[636] SHELL32.dll!ShellExecuteExW 7CA017DB 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\PSIService.exe[636] SHELL32.dll!ShellExecuteEx 7CA40BB5 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\PSIService.exe[636] SHELL32.dll!ShellExecuteA 7CA40EE0 6 Bytes JMP 5F280F5A
.text C:\WINDOWS\system32\PSIService.exe[636] SHELL32.dll!ShellExecuteW 7CAB4F10 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 41, 5F ]
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 2F, 5F ]
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F310F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F340F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F280F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F370F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F460F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe[668] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F430F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 41, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 2F, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F310F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F340F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F280F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F430F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F370F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F460F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[672] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 41, 5F ]
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 2F, 5F ]
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F280F5A
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F3A0F5A
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\services.exe[776] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 4D, 5F ]
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 3B, 5F ]
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\lsass.exe[788] SHELL32.dll!ShellExecuteExW 7CA017DB 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\lsass.exe[788] SHELL32.dll!ShellExecuteEx 7CA40BB5 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\lsass.exe[788] SHELL32.dll!ShellExecuteA 7CA40EE0 6 Bytes JMP 5F280F5A
.text C:\WINDOWS\system32\lsass.exe[788] SHELL32.dll!ShellExecuteW 7CAB4F10 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 41, 5F ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 2F, 5F ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F310F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F340F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F280F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F430F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F370F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F3A0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F460F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F3D0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[904] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 4D, 5F ]
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 3B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\svchost.exe[944] SHELL32.dll!ShellExecuteExW 7CA017DB 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\svchost.exe[944] SHELL32.dll!ShellExecuteEx 7CA40BB5 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[944] SHELL32.dll!ShellExecuteA 7CA40EE0 6 Bytes JMP 5F280F5A
.text C:\WINDOWS\system32\svchost.exe[944] SHELL32.dll!ShellExecuteW 7CAB4F10 6 Bytes JMP 5F2B0F5A
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 4D, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 3B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F250F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80ADA0 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AE4B 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!TerminateThread 7C81CE03 6 Bytes JMP 5F3D0F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!DebugActiveProcess 7C85A123 6 Bytes JMP 5F400F5A
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec 7C86136D 6 Bytes JMP 5F340F5A
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!LsaRemoveAccountRights 77E1AA41 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F4F0F5A
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5F430F5A
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F460F5A
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5F520F5A
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5F490F5A
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!EndTask 7E459E75 6 Bytes JMP 5F370F5A
.text C:\WINDOWS\system32\svchost.exe[988] SHELL32.dll!ShellExecuteExW 7CA017DB 6 Bytes JMP 5F310F5A
.text C:\WINDOWS\system32\svchost.exe[988] SHELL32.dll!ShellExecuteEx 7CA40BB5 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[988] SHELL32.dll!ShellExecuteA 7CA40EE0 6 Bytes JMP 5F280F5A
.text C:\WINDOWS\system32\svchost.exe[988] SHELL32.dll!ShellExecuteW 7CAB4F10 6 Bytes JMP 5F2B0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1040] ntdll.dll!NtLoadDriver 7C90DB6E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1040] ntdll.dll!NtLoadDriver + 4 7C90DB72 2 Bytes [ 41, 5F ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1040] ntdll.dll!NtSuspendProcess 7C90E83A 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1040] ntdll.dll!NtSuspendProcess + 4 7C90E83E 2 Bytes [ 2F, 5F ]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1040] kernel32.dll!LoadLibraryA 7C801D77 6 Bytes JMP 5F160F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1040] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1040] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F100F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1040] kernel32.dll!CreateProcessW 7C8
  • 0

#24
Trout27
Posted 28 July 2008 - 09:26 PM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
And a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:39 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\gmer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon....p;bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.teachsp...emote/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 10062 bytes
  • 0

#25
fenzodahl512
Posted 28 July 2008 - 09:35 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hi.. Your GMER log seems broken.. please attach it.. Don't post it as it will be too long..
  • 0

Advertisements

#26
Trout27
Posted 28 July 2008 - 09:45 PM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Here it is

Attached Files


  • 0

#27
fenzodahl512
Posted 28 July 2008 - 09:55 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hey.. Since I look you are waiting for me, just want to tell you that I'm going to work and only will be back about 8hrs later or so.. Thank you..
  • 0

#28
Trout27
Posted 28 July 2008 - 09:59 PM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
I should be the one thanking you....I really appreciate the help!!
  • 0

#29
fenzodahl512
Posted 29 July 2008 - 03:15 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please download The Avenger by Swandog46 to your Desktop.
  • Please reboot into Safe Mode
  • Once you are in Safe Mode, right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\WINDOWS\system32\drivers\ndisio.sys
C:\WINDOWS\system32\Drivers\mchInjDrv.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .



Please post the following logs in your next reply..

1. The Avenger
2. A fresh DSS log (in Normal Mode after Avenger step)


Regards
fenzodahl512
  • 0

#30
Trout27
Posted 29 July 2008 - 06:09 PM

Trout27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
OK......I did the last steps you requested but now I am unable yo access the internet from the PC that we have been working on. I am typing this from a laptop. I have transfered the logs via a USB drive and will attempt to post them....Here is the avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\drivers\ndisio.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\Drivers\mchInjDrv.sys" not found!
Deletion of file "C:\WINDOWS\system32\Drivers\mchInjDrv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP